Lucene search
K
HackeroneRecent

15365 matches found

Hacker One
Hacker One
added 2026/05/07 7:48 a.m.16 views

curl: Shared HSTS cache accessed without lock

This is finding F5 in Andrew's report https://github.com/curl/curl/blob/455bebc2c7/lib/hsts.cL160-L168 https://github.com/curl/curl/blob/455bebc2c7/lib/http.cL3571 https://github.com/curl/curl/blob/455bebc2c7/lib/url.cL1441 https://github.com/curl/curl/blob/455bebc2c7/lib/url.cL265...

5.9CVSS7.5AI score0.01856EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/07 6:58 a.m.9 views

curl: CVE-2026-8286: wrong STARTTLS connection reuse

A vulnerability was found in the Curl library that allowed a plain-text connection to reuse an existing SSL-upgraded connection without verifying the SSL configuration. This could lead to a man-in-the-middle attack if an attacker was able to intercept the initial STARTTLS upgrade. The issue was...

7.5CVSS6.6AI score0.02596EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/06 9:23 p.m.31 views

curl: CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them

From the Mythos report 2026-05-06 F1. CURLOPTPROXYCRLFILE / CURLOPTPROXYISSUERCERT / CURLOPTPROXYISSUERCERTBLOB silently ignored on backends that don't support them — severity Low https://github.com/curl/curl/blob/455bebc2c7/lib/setopt.cL1786-L1797...

6.5CVSS6.5AI score0.01299EPSS
Exploits3
Hacker One
Hacker One
added 2026/05/06 7:20 p.m.23 views

curl: mbedTLS private-key blob null-termination asymmetry in lib/vtls/mbedtls.c (mbed_load_privkey)

Summary: In lib/vtls/mbedtls.c, function mbedloadprivkey lines 653-738 passes raw sslkeyblob-data and sslkeyblob-len directly to mbedtlspkparsekey at lines 706-708 mbedTLS 4.x branch and 718-722 mbedTLS 3.x branch, without ensuring null-termination. The mbedTLS API contract for mbedtlspkparsekey...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/05/06 7:15 p.m.15 views

PortSwigger Web Security: UI Consent Bypass via Comma Injection in `addAutoApproveTarget` — User-Approval Dialog and Persistence Layer Disagree on Target Scope, Yielding Authen

A vulnerability was discovered in Burp Suite MCP Server BApp v1.2.1 where the addAutoApproveTarget function failed to validate the hostnames passed to it. This allowed a malicious MCP client to inject a comma-separated hostname, which was then persisted as multiple independent allow-list entries...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2026/05/05 2:20 a.m.20 views

Rocket.Chat: IDOR: autotranslate.translateMessage Full Message Content Leak

The /api/v1/autotranslate.translateMessage endpoint allowed any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint fetched the message without performing a room access check, returning the complete...

5.3CVSS5.8AI score0.00252EPSS
Exploits0
Hacker One
Hacker One
added 2026/05/04 1:51 p.m.28 views

curl: MQTT CONNACK Packet Type Bypass leads to RCE via Malicious Broker

Summary: mqttverifyconnack in lib/mqtt.c never checks that the received packet type is actually a CONNACK 0x20. The constant MQTTMSGCONNACK is commented out at line 45, making the check impossible to write. A malicious broker can send any packet — e.g. PUBACK 0x40 — with remaininglength=2 and...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2026/05/04 1:17 p.m.18 views

PortSwigger Web Security: Burp Suite Professional: browser-powered crawl can write attacker-controlled files through file input handling

A vulnerability was discovered in Burp Suite Professional 2026.3.3 on Windows. When Burp Scanner's browser-powered crawler crawled an attacker-controlled website, the website could force Burp to write an attacker-controlled file to an attacker-controlled local path. The issue was caused by Burp's...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2026/05/03 6:34 a.m.17 views

curl: Potential Resource Leak in tool_parsecfg.c at line 279 during fileerror

Summary: A resource leak was identified in src/toolparsecfg.c using the Clang Static Analyzer. When a file error occurs fileerror is true during config parsing, the function returns PARAMREADERROR without ensuring the file stream is properly closed, leading to a potential file descriptor leak...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/02 4:25 a.m.18 views

curl: wcurl treats some URL operands after -- as curl options

I found that wcurl does not always keep operands after -- in a pure URL-data context. The documented way to pass curl options through wcurl is --curl-options, but a value supplied as a URL operand can still reach the final curl command as an option, for example wcurl -- "--url=file:///...". A...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2026/05/01 5:32 p.m.27 views

curl: libcurl 8.20.0 incomplete fix for CVE-2026-7168: changing only CURLOPT_PROXYPORT leaks stale Proxy Digest auth to a different proxy

Summary: I found an incomplete-fix variant of CVE-2026-7168 in curl 8.20.0. The 8.20.0 fix clears state.proxydigest / state.authproxy when CURLOPTPROXY changes, but not when only CURLOPTPROXYPORT changes. On the same easy handle, request 1 through proxyA CURLOPTPROXYPORT=18197 learns Proxy Digest...

5.3CVSS5.8AI score0.00471EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/29 7:44 a.m.29 views

curl: MQTT state machine confusion: PINGRESP/DISCONNECT with non-zero remaining_length dispatches to stale nextstate

Summary: In lib/mqtt.c, the state machine in mqttdoing lines 894-911 in curl 8.20.0 does not validate that PINGRESP 0xD0 and DISCONNECT 0xE0 packets have remaininglength == 0 as required by MQTT 3.1.1 spec sections 3.13.1 and 3.14.1. A malicious broker can send a PINGRESP fixed header with non-ze...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/28 6:5 p.m.16 views

Tor: Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown

A vulnerability was discovered in Tor's Conflux OOO queue accounting. The vulnerability could cause the global OOO queue byte counter to remain inflated after a Conflux set was torn down, even though the memory had already been freed. This was due to a lack of accounting updates during the teardo...

5.3AI score
Exploits0
Hacker One
Hacker One
added 2026/04/27 2:54 a.m.23 views

curl: CVE-2026-7168: cross-proxy Digest auth state leak

Summary: On libcurl 8.19.0, Proxy Digest state learned from proxyA survives an independent transfer boundary on a reused easy handle and is emitted preemptively to proxyB when the proxy is changed. In the attached C PoC, the first CONNECT to proxyB carries Proxy-Authorization: Digest ... built fr...

5.3CVSS5.5AI score0.00471EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/26 10:35 p.m.26 views

Shopify: Missing HMAC validation on /uninstall webhook in Shopify/sample-django-app reference template

Repository: https://github.com/Shopify/sample-django-app Description The /uninstall webhook endpoint in sample-django-app processes incoming requests without verifying the X-Shopify-Hmac-Sha256 header. Shopify explicitly requires this validation as a mandatory security measure for all webhook...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/25 12:18 a.m.24 views

curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust

Summary When curl is built with --with-apple-sectrust or -DUSEAPPLESECTRUST=ON and OpenSSL, the --cert-status / CURLOPTSSLVERIFYSTATUS option is silently bypassed when Apple SecTrust handles certificate chain verification instead of OpenSSL. The user explicitly requests OCSP stapling enforcement,...

6.5CVSS5.5AI score0.01102EPSS
Exploits3
Hacker One
Hacker One
added 2026/04/24 7:35 p.m.16 views

HackerOne: Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql

The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sortquery argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/24 1:34 p.m.13 views

Brave Software: iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs

A vulnerability was discovered in the Brave browser for iOS where adding or opening a song in the Brave playlist and holding for the "Open in new Private Tab" option bypassed the Face ID or passcode requirement for accessing Private Tabs. This affected Brave iOS version 1.88 and iOS version 26.4....

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/24 8:43 a.m.10 views

Node.js: Permission Model Bypass via `process.report.writeReport()` Path Misvalidation

A flaw was discovered in the Node.js permission model that allowed bypassing of security controls via the process.report.writeReport path misvalidation...

1.8CVSS5.3AI score0.00208EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/21 10:11 p.m.7 views

Node.js: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat

Vulnerability description not provided...

7.7CVSS5.8AI score0.00674EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/21 2:58 p.m.40 views

Rocket.Chat: Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId()

Vulnerability description not provided...

9.3CVSS5.3AI score0.00304EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/20 6:46 a.m.19 views

curl: Heap-buffer-overflow in `Curl_ssl_push_certinfo_len()` — sole bounds check is `DEBUGASSERT`

Summary Curlsslpushcertinfolen in lib/vtls/vtls.c uses DEBUGASSERTcertnum numofcerts as its only bounds check before writing a heap pointer into ci-certinfocertnum. DEBUGASSERT is a no-op in every release/production build lib/curlsetup.h:1084. Any mismatch between the count passed to...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/04/20 6:36 a.m.13 views

curl: Stack exhaustion in MIME multipart reading with deeply nested subparts

Summary: The MIME read path uses mutually recursive helpers for nested multipart structures without enforcing a recursion depth limit. A sufficiently deep tree of nested curlmimesubparts objects causes stack exhaustion when libcurl starts reading the MIME body. The attached PoC builds a deeply...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/04/18 11:22 p.m.16 views

curl: Use-after-free in `curl_easy_ssls_export()` during callback re-entrancy

Summary: curleasysslsexport iterates the SSL session list and invokes a caller-provided callback for each entry. If that callback calls curleasysslsimport on the same easy handle, the import path can evict and free the current session node while the export loop still holds it. The subsequent...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/04/17 6:59 p.m.77 views

curl: libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms

Summary: libcurl omits the IPv6 zoneid component from multiple security-sensitive host identity decisions even though the connection layer still routes by zoneid. As a result, two distinct scoped/link-local destinations such as fe80::X%zoneA and fe80::X%zoneB are treated as the same host by...

7.5CVSS6.7AI score0.02794EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/17 2:41 p.m.14 views

curl: libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay

Summary: libcurl automatically learns RTSP Session: headers from server responses and stores them in data-set.strSTRINGRTSPSESSIONID in lib/rtsp.c:1015-1033. On later RTSP requests using the same easy handle, rtspdo reads that easy-handle-scoped value at lib/rtsp.c:373 and unconditionally emits...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/17 1:4 p.m.16 views

Revive Adserver: Stored XSS via malicious usernames in audit log details + Username validation bypass in XML‑RPC addUser

Vulnerability description not provided...

5.8AI score0.00339EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/17 12:29 p.m.20 views

curl: Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host

Summary When curl follows an HTTP redirect from hostA to hostB using --netrc --digest -L, Digest authentication state nonce, realm from hostA persists and is combined with hostB's netrc credentials to generate an unsolicited Digest Authorization header sent to hostB. This leaks hostB's username i...

5.7CVSS6.7AI score0.01595EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/17 7:47 a.m.23 views

Shopify: mruby-engine: UAF in MRubyEngine#initialize enables local RCE

Summary Double-init of MRubyEngine frees engine + unmaps mspace, but leaves Ruby DATAPTR dangling. Kernel reuses freed VA via mmapMAPFIXED. Attacker forges memrubyengine struct + mrbstate in reclaimed region, points mrbstate-allocf at libc.system, arranges bytes of mrbstate to also spell a shell...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/16 7:50 p.m.13 views

Revive Adserver: Banner status override by advertiser‑level users

A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edi...

5.4CVSS5.8AI score0.00274EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/16 11:28 a.m.26 views

curl: CVE-2026-6429: netrc credential leak with reused proxy connection

Summary: libcurl can leak .netrc-derived host Authorization credentials across redirected hosts when an HTTP proxy connection is reused. In the PoC, .netrc contains credentials only for a.test, but after a.test redirects to b.test and then c.test over the same keep-alive proxy connection, libcurl...

5.3CVSS5.5AI score0.00519EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/16 9:24 a.m.10 views

Revive Adserver: Missing access control when modifying parent entities via XML‑RPC

Vulnerability description not provided...

4.3CVSS5.8AI score0.00235EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/16 5:48 a.m.7 views

Node.js: Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames

Vulnerability description not provided...

7.5CVSS5.8AI score0.00656EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/15 9:11 p.m.25 views

CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

A vulnerability was discovered in the CoinMate API where the POST /api/bitcoinWithdrawalFees endpoint was accessible without authentication, despite being documented as a private endpoint. The endpoint returned real-time Bitcoin withdrawal fee data without requiring any authentication, unlike oth...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/15 6:22 a.m.18 views

curl: lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)

Summary: settransferurl in lib/http2.c validates the :scheme pseudo-header of PUSHPROMISE frames only when !viasslconn — a guard added by commit 2e8c922a to block non-TLS connections from accepting TLS-scheme pushes. The symmetric case was not addressed: over TLS, viasslconn is TRUE, the guard at...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/04/14 5:3 p.m.16 views

curl: libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle

Summary: libcurl keeps a stale data-state.referer after an HTTP redirect when CURLOPTAUTOREFERER is enabled. Curlhttpfollow stores the previous URL into data-state.referer at lib/http.c:1166-1189, and later requests reuse that value when building Referer: at lib/http.c:2954-2957. In my local...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/14 1:25 p.m.12 views

Revive Adserver: Session ID reuse allowing XML‑RPC API authentication bypass

Vulnerability description not provided...

4.3CVSS5.8AI score0.0031EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/14 5:45 a.m.31 views

curl: CVE-2026-6276: stale custom cookie host causes cookie leak

Summary: libcurl keeps a stale data-state.aptr.cookiehost after a request that uses a custom Host: header. On later requests on the same easy handle, when no custom Host: is used, libcurl still reuses that stale value for outgoing cookie selection lib/http.c:2560-2563 and incoming Set-Cookie...

7.5CVSS5.5AI score0.00291EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/13 7:36 p.m.17 views

CoinMate.io: HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

A vulnerability was discovered in the HMAC signature verification process of the CoinMate API. The signature was calculated using only the nonce, client ID, and public key, omitting the HTTP endpoint and request payload. This allowed an attacker to hijack a valid signature intended for a read-onl...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/04/13 10:2 a.m.21 views

curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy

Summary: When libcurl follows a redirect and the new URL causes proxy re-selection, proxy credentials learned from the originally selected proxy URL can remain in per-transfer state and be reused for the next proxy. In the validated case, a redirect from http:// to https:// switches selection fro...

5.9CVSS5.4AI score0.00639EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/13 9:57 a.m.11 views

Revive Adserver: Stored XSS via Full Name field in userlog email entries

Vulnerability description not provided...

5.8AI score0.00339EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/13 5:18 a.m.18 views

curl: Argument Injection via curl Short-Flag Grouping

This report details how the curl -os command facilitates an Argument Injection vulnerability in applications that wrap the curl command-line tool. The specific command curl -os /etc/passwd --url http://example.com demonstrates a subtle but dangerous behavior. Because -s silent follows -o output,...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2026/04/11 5:52 p.m.11 views

curl: Negotiate Authentication Premature on Connection Reuse

Summary: Curl 8.19.0+ inappropriately sends Negotiate authentication headers on reused keep-alive connections where authentication was already completed. Commit ab650379a8 June 2025 moved negotiate auth context to on-demand metadata storage, but during connection reuse the metadata gets cleared...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/04/11 3:1 a.m.17 views

curl: Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers

BUG IN https://raw.githubusercontent.com/curl/curl/07a9b89fedaec60bdbc254f23f66149b31d2f8da/lib/http2.c c ifstream-bodystarted / This is a trailer / H2BUGFinfofdatas, "h2 trailer: %.s: %.s", namelen, name, valuelen, value; result = Curldynaddf&stream-trailerrecvbuf, "%.s: %.s\r\n", namelen, name,...

3.3CVSS6.2AI score0.00359EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/10 11:16 p.m.19 views

Brave Software: Brave Shields Domain Reordering Leads to Origin Confusion

The Brave Shields feature was observed to reorder domain names, leading to potential origin confusion. Specifically, the domain "1.attacker.com" was displayed as "attacker.com.1", and "1.1.1.1.attacker.com" was displayed as "attacker.com.1.1.1.1". This behavior could potentially mislead users abo...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/10 6:28 p.m.16 views

IBM: Reflected Cross-Site Scripting (XSS) found on IBM.com domain

A reflected Cross-Site Scripting XSS vulnerability was found on the IBM.com domain. The vulnerability was reported to IBM, analyzed, and remediated. The external researcher who reported the issue was acknowledged...

5.3AI score
Exploits0
Hacker One
Hacker One
added 2026/04/08 3:26 p.m.9 views

Node.js: HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors

A flaw in the Node.js HTTP/2 server API was discovered that could cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affected Node.js 22 and Node.js 24...

5.3CVSS5.4AI score0.00445EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/08 1:18 p.m.44 views

curl: libcurl: Integer truncation in curl_easy_ssls_import() causes TLS sessions to never expire

Summary: curleasysslsimport deserializes a TLS session blob and stores it in the in-memory session cache. In Curlsslsessionunpack lib/vtls/vtlsspack.c:311, the validuntil field is read as uint64t and cast directly to curlofft int64t with no bounds check — so a crafted blob encoding validuntil =...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/04/07 8:41 p.m.8 views

Node.js: Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching

Vulnerability description not provided...

5.4CVSS5.8AI score0.00256EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/07 8:23 p.m.12 views

Revive Adserver: PHP code injection via delivery limitation logical

Vulnerability description not provided...

8.8CVSS5.8AI score0.00499EPSS
Exploits1
Total number of security vulnerabilities15365