129 matches found
JLSEC-2026-617 Open redirect in the HTTP.jl static file server canonical redirects
Description The static file server's canonical 301 redirects index-file strip, directory trailing-slash add, and file trailing-slash strip built the Location header verbatim from the un-normalized request target. Request-target validation only requires a leading /, has no CTL bytes, and the...
A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure
In recent weeks several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk...
coordinated-disclosure
coordinated-disclosure A Claude Code skill + plugin marketpla...
Congratulations to the MSRC 2025 Most Valuable Security Researchers!
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuabl...
freemmorpglist.com Cross Site Scripting vulnerability OBB-4041246
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
How MSRC coordinates vulnerability research and disclosure while building community
In an era where discovering and rapidly mitigating security vulnerabilities is more important than ever before, the Microsoft Security Response Center MSRC is at the center of this work. MSRC focuses on investigating vulnerabilities, coordinating their disclosure, and releasing security updates t...
Congratulations to the MSRC 2024 Most Valuable Security Researchers!
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s 100 Most...
sagemaker-python-sdk Command Injection vulnerability
Impact The capturedependencies function in sagemaker.serve.saveretrive.version100.save.utils module before version 2.214.3 allows for potentially unsafe Operating System OS Command Injection if inappropriate command is passed as the “requirementspath” parameter. This consequently may allow an...
“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps
Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory. The implications of this vulnerability pattern include arbitrary code...
karriereundfamilie.com Cross Site Scripting vulnerability OBB-3897599
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
chanlist.xyz Cross Site Scripting vulnerability OBB-3896828
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
cesar.or.at Cross Site Scripting vulnerability OBB-3896553
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
romdb.vampier.net Cross Site Scripting vulnerability OBB-3886975
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
cosplaywho.com Cross Site Scripting vulnerability OBB-3852524
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
greenbeltmovement.org Cross Site Scripting vulnerability OBB-3811155
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
mannav.com Improper Access Control vulnerability OBB-3804521
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
ngobox.org Cross Site Scripting vulnerability OBB-3804192
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
lars-danielsson.com Improper Access Control vulnerability OBB-3803123
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
camptecnologico.com Improper Access Control vulnerability OBB-3794959
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Celebrating ten years of the Microsoft Bug Bounty program and more than $60M awarded
This year marks the tenth anniversary of the Microsoft Bug Bounty Program, an essential part of our proactive strategy to protect customers from security threats. Since its inception in 2013, Microsoft has awarded more than $60 million to thousands of security researchers from 70 countries. These...