Bykea: Critical Information Disclosure via /talos/api/v1/files/upload

A vulnerability was discovered in the file upload functionality, where uploaded files were first stored on the server before being sent to S3. Due to a configuration flaw, memory chunks from the server were included in some uploaded files. This issue was classified as critical and was addressed a...

SingleStore: Exceeding the limit of Workspaces via Race Condition

The reporter discovered a race condition vulnerability in backend.singlestore.com that allowed free-tier users to bypass the 5-workspace limit by sending multiple simultaneous CreateWorkspace requests. This issue was patched by SingleStore as of October 3rd, 2025...

curl: arbitrary file read via `file://` path traversal with `--path-as-is`

Summary: Using --path-as-is with a file:// URL skips normalization of .. segments allowing reading of any local file the process can access Affected version curl 8.15.0-DEV commit 2a9dfe275, June 27, 2025 on Kali Linux 2024.3, x8664 Steps To Reproduce: 1. bulild curl with debug and ASan: git clon...

curl: OS Command Injection in scripts/firefox-db2pem.sh via untrusted certificate nicknames

On AI usage: Only for grammar/formatting suggestions/POC code troubleshooting; all vulnerability discovery, POC code creation, and analysis were done manually. Hey folks, I noticed something I think is worth bringing to you-- scripts/firefox-db2pem.sh helper in the curl source uses eval certutil ...

SingleStore: Exceed the maximum number of subscribers using Race Condition

A race condition vulnerability was discovered in the SingleStore control panel that allowed bypassing the maximum limit of five subscribers for alerts. The issue was patched and deployed to production...

SingleStore: IDOR - Scheduled data leak to other accounts By "projectID"

The Insecure Direct Object Reference IDOR vulnerability was discovered in the GetNotebookScheduledPaginatedJobs endpoint on backend.singlestore.com. The API failed to verify the requestor's permission to access the specified project, allowing an authenticated user to access scheduled job...

AWS VDP: Remote Code Execution in Amazon MWAA due to outdated Apache Airflow version

Explanation: I am a penetration tester working with Siemens. During a collaborative security assessment with an internal team, I discovered a Remote Code Execution RCE vulnerability in an Amazon Managed Workflows for Apache Airflow MWAA environment. I initially reported this issue to the AWS...

curl: Credential leak on redirect due to improper state clearing when parsing macdef in netrc.c

Summary : -When parsing a netrc. file, the macdef keyword fails to clear previously loaded credentials. If a redirect follows, these credentials are leaked to the new host. This is a new variant of CVE-2024-11053, triggered by a different code path 'macdef' instead of 'default'. No, this...

curl: Sensitive information disclosure with malicious netrc file

libcurl at commit 879b6075a1132c137920060ed262b3f5a58c18c2 contains a vulnerability where it can be coerced into reading over the boundaries of a heap-chunk and sending the resulting data over the network to an attacker. This can lead to a disclosure of sensitive data, including pointers or other...

Cloudflare Public Bug Bounty: `use-mcp`'s oauth2 process uses a window.open call with untrusted mcp server provided data allowing for code execution under the page using it

The authorizeEndpoint parameter from use-mcp version was susceptible to XSS. Sanitization of that parameter was added in version 0.0.10 of use-mcp. A skilled attacker was able to turn this XSS into code execution on the client...

Omise: PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine

The vulnerability involved the exposure of personally identifiable information PII, specifically email addresses, through an email confirmation link used by Omise. The email address was embedded directly in a token that was visible in the URL. This token was subsequently archived by the Wayback...

U.S. Dept Of Defense: Reflected XSS via user parameter on getconfig.esp endpoint

The getconfig.esp endpoint was found to reflect unsanitized user input provided in the user parameter directly into the HTML response, resulting in a Reflected Cross-Site Scripting XSS vulnerability. The affected product was Fortinet SSL VPN FortiOS version 3.0.1-10...

AWS VDP: XSS on Amazon Aquisition: elemental

The XSS vulnerability on Amazon's acquisition of Elemental was identified and addressed. The summary provided a brief overview of the issue...

U.S. Dept Of Defense: Reflected XSS via user Parameter in /ssl-vpn/getconfig.esp

A reflected Cross-Site Scripting XSS vulnerability was discovered in the user parameter of the /ssl-vpn/getconfig.esp endpoint. This allowed an attacker to inject and execute arbitrary JavaScript in a user's browser. The vulnerability was found on a .mil domain associated with a VPN configuration...

U.S. Dept Of Defense: Reflected XSS via user Parameter on getconfig.esp Endpoint

A reflected Cross-Site Scripting XSS vulnerability was discovered in the /ssl-vpn/getconfig.esp endpoint, where user input in the 'user' parameter was not properly sanitized and allowed the injection of arbitrary JavaScript. This could have enabled remote attackers to execute malicious scripts in...

Automattic: Woocommerce SQL Injection in WC_Report_Coupon_Usage

A SQL injection vulnerability was found in the WooCommerce plugin version 9.9.3. The vulnerable parameter was 'couponcodes' in the '/wp-admin/admin.php?page=wc-reports&tab=orders&report=couponusage' endpoint. The vulnerability required the privilege to view reports...

Hemi VDP: WordPress Version Exposure via ███████ on hemi.xyz

The WordPress CMS version was exposed in the XML file at https://hemi.xyz███. This disclosure allowed attackers to fingerprint the CMS version...

MainWP: Reflected XSS in "Cost Tracker" Notes Field

The reflected Cross-Site Scripting XSS vulnerability was discovered in the "Notes" input field of the Cost Tracker section in MainWP Version 5.4.0.11. Arbitrary user input in this field was reflected back and executed immediately upon saving, due to the lack of proper input sanitization and outpu...

Monero: Connection Count Bug in Monero Node Enables Outbound Peer Reset Attack

A vulnerability was disclosed that could cause a Monero node's outbound connections to be dropped. The vulnerability was caused by a flaw in how the node incorrectly counted the number of current outbound connections. An attacker could exploit this flaw to trick the node into mistakenly believing...

Mars: Order More Than Maximum Allowed Quantity

The business logic vulnerability allowed users to bypass the product quantity limits 1-20 items through parameter manipulation. While the user interface enforced these limits, the necessary server-side validation was missing...

curl: Arbitrary File Read via Unsanitized curl Usage Results in Sensitive File Exposure

Hello team, First of all, your open report policy has improved me a lot. Your very caring team has motivated me a lot. A real bug bounty program. I hope I can contribute something to you with this report.Thank you. The application uses curl in a way that allows an attacker to specify arbitrary fi...

pixiv: Non-premium user can disable Ads in japanese version of dic.pixiv.net

A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify thei...

Omise: Cache Pollution via Unkeyed GET Parameters on www.omise.co

The CDN serving the website appeared to cache pages based on the full URL, including arbitrary query parameters, without normalizing or properly keying them. This behavior resulted in cache pollution, where the cache was filled with redundant versions of the same page...

MainWP: Reflected XSS in "Manage Tags" Notes Field

A reflected Cross-Site Scripting XSS vulnerability was discovered in the "Notes" input field under the Manage Tags section. Arbitrary input entered into this field was reflected back and executed immediately upon saving, due to the lack of proper input sanitization and output encoding...

MainWP: Reflected XSS in "Client Notes" Field

A reflected Cross-Site Scripting XSS vulnerability was discovered in the "Notes" functionality under the Edit Client section. User input in the notes input field was not properly sanitized or encoded, allowing malicious JavaScript payloads to be reflected back in the application's HTML response...

Lichess: Path Traversal Vulnerability in Lila Project

A path traversal vulnerability was discovered in the Lila project that allowed an attacker to access arbitrary files on the server by manipulating user-supplied input to traverse outside the intended directory structure...

Nintendo: Man-in-the-middle through broken SSL certificate verification

The vulnerability allowed for man-in-the-middle attacks through broken SSL certificate verification...

curl: Failure to strip Proxy-Authorization header on change in origin

Summary: Failure to strip Proxy-Authorization header on change in origin. AI was not used. I maintain the PHP Guzzle HTTP package which uses curl, and noticed we have the same issue as curl in this regard. I was made aware of this issue when golang patched something similar a few hours ago:...

Weblate: exposure of personal IP address via email.

The exposure of personal IP addresses through email messages has been identified as a potential security issue. Email messages can pass through multiple servers, which may store or record the content, including the user's IP address, even if the email is encrypted during transit. The user's IP...

MainWP: Reflected XSS in "Create Category" Functionality of Post Creation Module

A reflected Cross-Site Scripting XSS vulnerability was identified in the "Create Category" feature of the post creation functionality. When a user entered a malicious JavaScript payload in the Category Name field, the input was reflected and executed immediately after submission. However, this XS...

HackerOne: Account takeover of existing HackerOne accounts through SCIM provisioning

The SCIM provisioning feature in HackerOne's sandbox program was vulnerable to account takeover. An attacker could create a user with an email they controlled, import existing users, assign the victim account to the attacker's user, change the email parameter, and reset the password to gain acces...

MainWP: Stored Cross-Site Scripting (XSS) in "Add Contact" Name Field – MainWP Plugin

A stored cross-site scripting XSS vulnerability was discovered in the MainWP WordPress plugin. The vulnerability was found in the "Add Contact" Contact Name field, where user input was not properly sanitized before rendering it back into the DOM. As a result, an attacker could inject malicious...

PortSwigger Web Security: DNS Rebinding SSRF in Burp Suite MCP Server Enables Internal Network Access via send_http1_request Tool

The Burp Suite MCP Model Context Protocol server was vulnerable to a DNS rebinding attack. This allowed malicious websites to connect to the victim's local MCP server, use the sendhttp1request tool to make arbitrary HTTP requests, and access internal networks, localhost services, and cloud metada...

Lichess: ImageId Format Injection in Image Upload Endpoint

The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...

Mozilla: Bypass "No Links" Restriction in Biography via Protocol-Relative URL (//)

The report identifies a bypass vulnerability in the biography field on addons.allizom.org. Despite the application's policy against allowing links, it was possible to embed functional hyperlinks using protocol-relative URLs //evil.com. This violation of the declared application policy was achieve...

Mars: No Rate Limiting on Password Attempts After Insecure Registration Flow cause ATO

An authentication vulnerability was identified that lacked rate limiting controls on password attempts. The flaw allowed unlimited brute force attacks against user accounts without triggering security measures. Attackers could perform consecutive password attempts and distinguish successful...

HackerOne: Residual Malicious Payloads on HackerOne after Vulnerability Fixes

A vulnerability was previously discovered on the HackerOne platform that allowed users to add malicious payloads to their profile pages. Despite remediation efforts, some of these malicious payloads were not fully removed from user profiles. This situation meant that the malicious content could...

curl: CVE-2025-5399: WebSocket endless loop

The function curlwssend in libcurl contains an infinite loop that can be triggered by a malicious server under specific circumstances. The loop is caused by a condition in the code that is not properly handled, leading to the function failing to terminate. This vulnerability was discovered in the...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ██████████

A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the conte...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ██████

A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the conte...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ███████

A Cross-Site Scripting XSS vulnerability was discovered in an ASP.NET web application. The issue was caused by improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed the injection of arbitrary JavaScript payloads that could execute ...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ███████

A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the conte...

U.S. Dept Of Defense: Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ████

A Cross-Site Scripting XSS vulnerability was identified in an ASP.NET web application. The issue was caused by improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the...

Lichess: Server-Side Request Forgery (SSRF) via Game Export API

The Lichess game export API was found to be vulnerable to Server-Side Request Forgery SSRF due to insufficient input validation of the "players" parameter. This allowed an attacker to make the Lichess server send arbitrary HTTP requests to external URLs, potentially exposing sensitive information...

Shopify: Session Persistence Designed to Keep Users Logged In Across Multiple Devices (Intended Behaviour)

Summary: Hi, After logging out of the application, the session associated with the user is not invalidated server-side. An attacker with access to the session cookie prior to logout can reuse the same cookie to re-authenticate, effectively bypassing the logout process and regaining access to the...

Node.js: Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

An incomplete fix has been identified for a vulnerability affecting Windows device names in the path.normalize function in Node.js. The vulnerability allows path traversal protection to be bypassed on devices such as CON, PRN, and AUX...

Lichess: Improper Authentication Throttling Allows Attacker-Controlled Account Lockouts

The application lacks sufficient safeguards in its authentication throttling logic. It permits arbitrary users to trigger lockouts on any account by submitting multiple failed login attempts using a known or guessed username. Because the system does not verify the request origin or impose...

Nextcloud: Information disclosure via Desktop client when attempting to lock a file inside a end-to-end encrypted directory

A security vulnerability was discovered in the desktop client of a file-sharing application. The vulnerability allowed information disclosure when attempting to lock a file inside an end-to-end encrypted directory...

curl: Memory Leak in libcurl via Location Header Handling (CWE-770)

Summary: This report details a memory leak vulnerability in libcurl that occurs when processing HTTP 3xx redirect responses containing a Location: header. Specifically, the memory allocated for the Location: header's value is not properly deallocated when the Curleasy handle is reused for...

curl: Heap buffer overflow vulnerability in conncache.c: incorrect use of pointer arrays resulting in out-of-bounds memory writes.

In the conncache.c file, the cpoolbundle structure incorrectly uses a pointer array char dest1 instead of a flexible array char dest to store string data, leading to a heap buffer overflow when calling memcpy in the cpoolbundlecreate function. Impact Summary: The vulnerability is a heap buffer...