Lucene search
K
HackeroneRecent

15365 matches found

Hacker One
Hacker One
added 2026/04/07 7:53 p.m.7 views

Node.js: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings

Vulnerability description not provided...

9.8CVSS5.8AI score0.00405EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/06 4:1 p.m.15 views

Revive Adserver: Reflected XSS via clientid parameter in zone‑include.php

Vulnerability description not provided...

6.1CVSS5.8AI score0.00217EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/06 2:47 p.m.13 views

Revive Adserver: Blind SQL injection via clientid parameter in zone‑include.php

Vulnerability description not provided...

8.3CVSS5.8AI score0.00298EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/05 8:31 p.m.108 views

curl: SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)

Summary libcurl’s SMTP implementation fails to properly sanitize CRLF sequences in user-controlled inputs passed via CURLOPTMAILFROM and CURLOPTMAILRCPT. The function smtpparseaddress lib/smtp.c:277 extracts any data following the closing character as a raw suffix and incorporates it directly int...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2026/04/05 10:42 a.m.27 views

curl: CVE-2026-5773: wrong reuse of SMB connection

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of...

7.5CVSS5.5AI score0.00549EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/05 8:47 a.m.11 views

Revive Adserver: Missing access control when linking trackers to campaigns

A missing access control check was reported when linking trackers to campaigns through the "campaign-trackers.php" script of Revive Adserver 6.0.6 and earlier. A low-privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent...

4.3CVSS5.7AI score0.00235EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/05 7:15 a.m.19 views

Revive Adserver: Missing access control when linking banners or campaigns to zones

A missing access control check was identified when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API. This could have allowed a low-privileged user to link their zones to banners or campaigns owned by other managers on...

4.3CVSS5.7AI score0.00235EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/05 6:46 a.m.17 views

curl: FTP entrypath accepts 0xFF (Telnet IAC) through incomplete ISCNTRL filter, sent on wire via CWD on connection reuse

Summary A malicious FTP server can embed byte 0xFF Telnet IAC in the PWD response path. The ISCNTRL filter at lib/ftp.c:3095 expands to ISLOWCNTRLx || IS7Fx, which is unsigned charx entrypath line 3131 and sent verbatim via CWD %s on connection reuse line 849. I understand the KNOWNRISK.md and...

4.3CVSS6.7AI score0.03851EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/05 6:17 a.m.17 views

curl: no_proxy IDN mismatch: Unicode hostnames bypass proxy exclusion list

Summary Unicode IDN hostnames in noproxy are never converted to punycode before comparison, so they never match the request hostname which curl has already converted to punycode. A user who types noproxy="bücher.de" and requests http://bücher.de/ expects the proxy to be bypassed. Instead curl...

7.5CVSS6.6AI score0.1654EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/05 6:8 a.m.13 views

curl: Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl

detail: - lib/setopt.c:1048-1051 - CURLOPTSOCKS5AUTH is stored into data-set.socks5auth - lib/socks.c:597-641 socks5req0init - fresh SOCKS5 handshake reads data-set.socks5auth, if BASIC is not allowed, it clears sx-proxyuser at 618-620, so username/password auth is not even offered -...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/04/04 6:35 p.m.7 views

Node.js: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections

Vulnerability description not provided...

4.3CVSS5.8AI score0.00258EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/04 3:28 a.m.3 views

Node.js: Improper Input Validation — HTTP Response Parser Unconditionally Accepts Bare CR in Status Line

The llhttp HTTP response parser in Node.js up to version 24.14.1 llhttp v9.3.0 and v9.3.1 was found to unconditionally accept a bare carriage return CR as a valid response status line terminator. This parsing asymmetry was present in the response path but not in the request parsing, enabling...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/04/03 7:15 p.m.18 views

curl: Internal application wrapper or script using curl

While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/04/03 10:59 a.m.22 views

curl: ignoring 'options' when doing connection reuse

libcurl contains a significant logic flaw in its connection pool matching mechanism. When a transfer specifies a required authentication policy—such as a specific SASL mechanism e.g., ;AUTH=GSSAPI or a restricted set of SSH authentication types CURLOPTSSHAUTHTYPES—libcurl fails to verify these...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/04/02 9:46 p.m.20 views

curl: Negotiate connection reuse with wrong credentials when using CURLAUTH_ANY

Summary: CVE-2026-1965 fixed connection reuse for Negotiate authentication by adding urlmatchauthnego in urlmatchconn at line 1244 of lib/url.c. When a first handle authenticates via Negotiate Kerberos on a connection and that connection returns to the pool, a second handle with different...

6.5CVSS5.6AI score0.00259EPSS
Exploits0
Hacker One
Hacker One
added 2026/04/02 6:13 p.m.16 views

curl: # SCURLOPT_SSH_KNOWNHOSTS and host fingerprint pins are silently bypassed when an SSH connection is reused from the connection pool

Product libcurl all versions, all platforms, compiled with USESSH Protocols affected: sftp://, scp:// --- Summary libcurl's connection pool reuse logic for SSH-based protocols SFTP, SCP contains a security gap that allows a transfer's server-verification policy to be completely ignored. When an...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/04/02 5:39 p.m.15 views

curl: Data race in Curl_dnscache_add_negative() corrupts shared DNS cache — heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS

Data race in Curldnscacheaddnegative corrupts shared DNS cache — heap corruption and double-free when using CURLOPTSHARE with CURLLOCKDATADNS Severity: Medium CVSS 3.1: 6.5 — AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H --- Summary Curldnscacheaddnegative in lib/dnscache.c modifies the shared DNS cache ha...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2026/04/01 4:0 p.m.15 views

arkadiyt-projects: Authorization header leak in ssrf_filter via cross-host redirect leads to credential theft and unauthorized access

A vulnerability was discovered in the ssrffilter library. The vulnerability allowed an attacker-controlled redirect target to receive credentials that were intended only for the original request origin. This was possible because ssrffilter followed redirects by rebuilding each redirected request...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/04/01 3:36 p.m.14 views

curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection

Summary: An attacker sharing a libcurl multi-handle connection pool can hijack another user's Negotiate/Kerberos-authenticated connection. When User A authenticates via Negotiate SPNEGO and the connection returns to the pool, User B using CURLAUTHANY with different credentials gets that connectio...

6.5CVSS5.7AI score0.00414EPSS
Exploits1
Hacker One
Hacker One
added 2026/04/01 8:24 a.m.34 views

curl: Cookie attribute TAB injection regression in Set-Cookie parsing

Overview | | | |---|---| | Component | lib/cookie.c — parsecookieheader | | Type | Security regression incomplete input validation | | CWE | CWE-20 Improper Input Validation | | Severity | LOW CVSS 3.1 estimated 3.7, comparable to CVE-2022-35252 | | Affected | curl 8.18.0 through current HEAD | |...

3.7CVSS6AI score0.01788EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/31 10:47 p.m.17 views

curl: Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning

Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning --- Summary sshconfigmatches in lib/url.c decides whether an existing SSH connection can be reused by a new transfer handle. It checks client key paths rsa, rsapub but never...

7.7CVSS7.2AI score0.02596EPSS
Exploits2
Hacker One
Hacker One
added 2026/03/31 7:9 a.m.31 views

curl: Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl

Summary There is a logic flaw in how libcurl manages its connection pool for SSH protocols SFTP/SCP. When evaluating an existing connection for reuse, sshconfigmatches in lib/url.c fails to compare server identity verification policies. By ignoring CURLOPTSSHKNOWNHOSTS, CURLOPTSSHHOSTPUBLICKEYMD5...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/30 9:50 p.m.11 views

curl: Use-After-Free race condition in url_move_hostname() via shared connection pool

Summary: In lib/url.c, urlconnreuseadjust calls urlmovehostname which frees conn-host.rawalloc and conn-host.encalloc via Curlsafefree and Curlfreeidnconvertedhostname after Curlcpoolfind has already released the connection pool lock. A second thread doing a concurrent pool lookup still holds tha...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/29 7:2 p.m.19 views

curl: HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse

Summary libcurl contains a critical logic flaw in its connection reuse mechanism where transfers using the CURLOPTSSLCTXFUNCTION SSL context callback to establish a specific identity e.g., via client certificates can have their connections incorrectly reused by subsequent, unauthenticated transfe...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/29 4:37 p.m.17 views

curl: HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89)

Summary: In lib/http2.c:1490, when curlmaprintf fails due to memory pressure, the push promise header is silently dropped but the callback returns success. If the lost header is the :scheme pseudo-header, the security check at line 733 that blocks HTTPS pushes over insecure connections is skipped...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/03/28 5:6 p.m.13 views

arkadiyt-projects: Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes

A path traversal vulnerability was discovered in the protodump tool. The vulnerability allowed an attacker to influence the output filename construction and bypass the containment check, enabling writes outside the intended output directory. The vulnerability was caused by the use of...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/28 3:26 p.m.17 views

arkadiyt-projects: SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)

A vulnerability was discovered in the ssrffilter library version 1.3.0. The library failed to block the NAT64 local-use IPv6 prefix 64:ff9b:1::/48, allowing such addresses to be treated as public. This enabled SSRF requests through /fetch to targets encoded under that prefix when routable in the...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/28 9:39 a.m.37 views

curl: CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection

Summary: CURLOPTHAPROXYCLIENTIP introduced in curl 8.2.0 accepts arbitrary strings without any validation or sanitization before injecting them into the HAProxy PROXY protocol v1 header. An attacker who can influence the value passed to this option e.g., through a web application that proxies...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/03/27 6:1 p.m.11 views

curl: Unbounded GZIP Decompression Leading to Event-Loop Starvation

When libcurl is configured to decompress HTTP responses via CURLOPTACCEPTENCODING or the --compressed CLI flag, it lacks decompression bounds checking or a mechanism to yield execution during massive expansion tasks. If an attacker provides a highly compressed payload zip bomb, libcurl's underlyi...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2026/03/26 6:56 p.m.16 views

curl: HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning

Summary: I found that libcurl 8.19.0 accepts an HTTP/2 pushed stream on a cleartext h2c connection even when the server sends :scheme=https in PUSHPROMISE. In lib/http2.c, settransferurl builds the pushed handle URL from the server-supplied :scheme, :authority, and :path, but PUSHPROMISE validati...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/25 7:27 p.m.47 views

curl: Security Vulnerability Report: Protocol Injection via Programmatic Options

Summary Multiple text-based protocol handlers in libcurl including FTP, SMTP, POP3, and IMAP are vulnerable to protocol command injection. This occurs when an application sets credentials or other protocol-specific options programmatically e.g., via CURLOPTUSERNAME, CURLOPTPASSWORD, or...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/03/24 11:12 p.m.9 views

Node.js: Permission Model bypass via FileHandle.utimes() in the promises API

Vulnerability description not provided...

3.3CVSS5.8AI score0.00154EPSS
Exploits0
Hacker One
Hacker One
added 2026/03/24 6:37 p.m.7 views

PortSwigger Web Security: Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption

A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST Enterprise. The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/24 3:3 p.m.15 views

Nextcloud: PIN bypass in PassCodeActivity via back button

A vulnerability was discovered in the PassCodeActivity of a certain application. The vulnerability allowed bypassing the PIN code by pressing the back button...

4.6CVSS5.5AI score0.00153EPSS
Exploits0
Hacker One
Hacker One
added 2026/03/23 2:38 p.m.13 views

curl: HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT

Summary: curl fails to prioritize the Transfer-Encoding: chunked header over Content-Length in HTTP/1.1 proxy responses specifically 407/401 auth challenges, violating RFC 9112 Section 6.1. I have identified the root cause in cf-h1-proxy.c. In the response-handling loop around line 466, the code...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/22 11:18 p.m.118 views

curl: CVE-2026-4873: connection reuse ignores TLS requirement

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPTUSESSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:/...

5.9CVSS5.3AI score0.00329EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/22 4:52 a.m.10 views

AWS VDP: Health check errors silently dropped when channel buffer full

Component: pkg/plugin/plugin.go:153-156, pkg/plugin/pluginv2.go:156-158 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary When KMS operations fail, the error is sent to a buffered channel healthCheckErrc, size 100 via a non-blocking...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/03/22 4:50 a.m.11 views

AWS VDP: Encryption context keys and values logged at INFO level

Component: cmd/server/main.go:101-106 Affected Version: aws-encryption-provider @ 4341c70 all versions Found by: Source audit TLP: TLP:Amber --- Summary The server startup code logs all encryption context key-value pairs at INFO level. Encryption context is metadata associated with KMS operations...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/22 4:44 a.m.14 views

AWS VDP: V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)

A vulnerability was discovered in the "aws-encryption-provider" component where the "V2Plugin.Decrypt" function accessed the ciphertext slice without checking if it was empty, leading to a panic and crashing the entire gRPC server process...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/22 4:40 a.m.11 views

AWS VDP: V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)

A vulnerability was discovered in the aws-encryption-provider component of the pkg/plugin/plugin.go file at revision 4341c70. The vulnerability caused the V1Plugin.Decrypt function to panic when passed an empty ciphertext, crashing the entire gRPC server process. This was due to the function...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/21 4:20 a.m.16 views

DuckDuckGo: RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml — Direct Supply Chain to All DDG Browsers

A vulnerability was discovered in the "auto-respond-pr.yml" GitHub Actions workflow of the "privacy-configuration" repository. The workflow used the "pullrequesttarget" trigger, which checked out the fork's repository as both the "base" and "PR" branches. This allowed an attacker to control the...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2026/03/21 4:20 a.m.20 views

DuckDuckGo: RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml — Affects All DuckDuckGo Browsers

A vulnerability was discovered in the DuckDuckGo content-scope-scripts repository's GitHub Actions workflow. The workflow used the pullrequesttarget trigger without access controls, allowing untrusted code from fork pull requests to be checked out and executed. This could have led to remote code...

6.3AI score
Exploits0
Hacker One
Hacker One
added 2026/03/20 8:13 p.m.7 views

Node.js: Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)

Vulnerability description not provided...

10CVSS5.8AI score0.00663EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/20 7:14 a.m.10 views

curl: Function `do_pubkey()` can have out-of-bound read issue

Summary A 1-byte out-of-bounds heap read in dopubkey in lib/vtls/x509asn1.c. When parsing an RSA public key with a zero-length or all-zero modulus, the loop dereferences a pointer before checking bounds. Requires a non-OpenSSL TLS backend e.g., Mbed/Gnu. A certificate chain verification can trigg...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/18 7:47 a.m.29 views

curl: Exposed .git/config File Leading to Potential Sensitive Information Disclosure

Summary: The .git/config file is publicly accessible on the target server, which may expose sensitive repository configuration details. This indicates that the .git directory is improperly exposed, potentially allowing attackers to reconstruct the entire source code repository and extract sensiti...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/17 7:20 p.m.70 views

Rocket.Chat: Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file

Vulnerability description not provided...

7.5CVSS5.3AI score0.00723EPSS
Exploits0
Hacker One
Hacker One
added 2026/03/17 7:6 p.m.21 views

curl: Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix

curl versions 8.19.0 and later were meant to fix CVE-2026-3783, which causes OAuth2 bearer tokens to leak on HTTP redirects when the user has a .netrc file configured. However, the vulnerability still exists in the current codebase. VULNERABILITY: When a curl user specifies an OAuth2 bearer token...

5.3CVSS5.9AI score0.00333EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/16 10:23 p.m.38 views

curl: HSTS accepted from HTTP origin behind HTTPS proxy

curl/libcurl appears to accept and persist Strict-Transport-Security from an http:// origin when the request is sent through an https:// proxy. After that, a later http:// request for the same host is automatically upgraded to https:// due to stored HSTS state. Affected versions 8.12.0 through...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/03/16 3:17 p.m.11 views

phpBB: Blind POST SSRF via Web Push Notification Endpoint

A vulnerability was discovered in phpBB 4.0.0-alpha1 that allowed registered users to register arbitrary URLs as their Web Push notification endpoint. The endpoint URL was stored without validation and later used by the phpBB server to send outbound HTTP POST requests, potentially leading to blin...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/03/16 2:54 p.m.8 views

curl: Unescaped username in SASL DIGEST-MD5 response allows injection

Summary: The username is inserted into the digest-md5 response without escaping the quotes or backslashes. The HTTP digest path on line 863 in lib/vauth/digest.c uses authdigeststringquoted but the SASL does not line 478. Commit ac419bf sorted the HTTP in 2013. It looks like the SASL was moved in...

5.9AI score
Exploits0
Total number of security vulnerabilities15365