DotNetNuke (DNN) ImageHandler <9.2.0 - Server-Side Request Forgery

DotNetNuke aka DNN before 9.2.0 suffers from a server-side request forgery vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources. id: CVE-2017-0929 info: name: DotNetNuke DNN ImageHandler 9.2.0 - Server-Side Request Forgery author...

GitLab - Account Takeover via Password Reset

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to a...

Brave Android 1.90.128 Security Fixes

Fix wallet provider binding issue as reported on HackerOne by shinchan69. Upgraded Chromium to 148.0.7778.217 — refer to Google Chrome advisories for inherited CVEs...

Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution

The Oracle WebLogic Server component of Oracle Fusion Middleware Web Services versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 is susceptible to a difficult to exploit vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic...

Broken Object Level Authorization in the Wild: An Empirical Taxonomy from 100+ Bug Bounty Disclosures

Broken Object Level Authorization BOLA is consistently ranked the most critical API security vulnerability, yet the existing literature remains almost entirely conceptual. This paper presents one of the first large-scale empirical analyses of BOLA in publicly disclosed bug bounty reports. We...

Beyond Findings: Connecting Exploitable Risk to Cloud Context with Wiz and HackerOne

See proven, exploitable risk in the context of your full cloud environment...

name-Omni

Omni – Autonomous Red Team Lead & Bug Bounty Hunter Powered...

Advanced-AI-Recon-and-Exploit-Framework

reNgine: The Ultimate Web Reconnaissance & Vulnerability Scanner...

Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace

Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace...

GHSA-VP62-R36R-9XQP Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace

Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace...

Weblate: Improper access control for the translation memory in API

Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. Patches https://github.com/WeblateOrg/weblate/pull/18513 Workarounds Blocking access to /api/memory/ in the HTTP server removes access to this feature. References This issue was reported...

HackerOne: CVE-2026-21637 TLS PSK/ALPN Callback Exceptions Bypass Error Handlers

CVE-2026-21637 is regarding a vulnerability in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError...

Malicious code in emd-ext (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8533b4542459021adb6dac35adcdda6eac7103c09dc091b7699c72d1d16101e2 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

MAL-2026-2536 Malicious code in yhaplo1 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ea4e6c1525395c0b55d0de437d61b31250561c4901199518e13cd28fe15f232f Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

Malicious code in yhaplo1 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ea4e6c1525395c0b55d0de437d61b31250561c4901199518e13cd28fe15f232f Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

MAL-2026-2531 Malicious code in bonsaitree1 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0c35db41a5cf0a0671b33adf698777ebb63055a4f5ab3076bf3ed563a875cbb6 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

Malicious code in siempyl-sumo (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 493e667735febe5b3e4cd2cc47ae0b5a09ddacf051dc2804e5e742574ceb5ec4 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

Malicious code in ttam (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2925c78ff71ef8aee744b1b6b4fa9b5cef3b6ae018447d29ba5e63fe43ad01c1 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

MAL-2026-2535 Malicious code in ttam (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2925c78ff71ef8aee744b1b6b4fa9b5cef3b6ae018447d29ba5e63fe43ad01c1 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

Malicious code in phasedibd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8d514af72edb0054d9c5ff73f59a8517927dc660a5a58c8a03baf8abc5b22365 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...