Lucene search
K
HackeroneRecent

15365 matches found

Hacker One
Hacker One
added 2026/03/16 1:56 p.m.15 views

Basecamp: DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover

A DOM XSS vulnerability was discovered in the file import functionality of the Fizzy application. The vulnerability allowed an attacker to craft a malicious filename that, when previewed by the victim user, would inject a second form submission into the import page. This enabled the attacker to...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/14 6:13 a.m.13 views

LinkedIn: Access to Deactivated LinkedIn Company Pages via Competitor Analytics API

A vulnerability was discovered in LinkedIn's Competitor Analytics API that permitted authenticated users to access analytics data for deactivated company pages...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/13 4:59 p.m.18 views

curl: SMB READ_ANDX DataOffset not validated

Summary: in smbrequeststate case SMBDOWNLOAD curl reads two server-controlled fields from a READANDX response and uses them to decide where in the receive buffer file data starts. c / lib/smb.c / len = Curlread16leconst unsigned char msg + sizeofstruct smbheader + 11; off = Curlread16leconst...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/03/12 10:55 p.m.18 views

Ruby on Rails: Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

A vulnerability was discovered in the Rails::HTML::Sanitizer.alloweduri? method of the rails-html-sanitizer library. The method incorrectly returned true for entity-encoded control-character-split javascript: URLs, which could lead to potential security issues if the application relied on the...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/12 4:28 a.m.24 views

Lovable VDP: Bypass of Open Redirect Fix on lovable.dev via /..// Path Traversal in redirect parameter

A bypass was discovered for a previously patched open redirect vulnerability on a web application. The original fix blocked certain payloads, but failed to account for path traversal sequences combined with double slashes. By supplying a specific redirect value, an attacker could still redirect...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/11 4:6 p.m.13 views

curl: Curl_compareheader() fails to match multi-value HTTP headers

Summary Curlcompareheader in lib/http.c fails to scan the full value of HTTP headers for substring matches. Due to an incorrect loop condition, only the first byte position of the header value is checked. This causes curl to miss connection options like close when they appear as non-first tokens ...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/11 3:2 p.m.11 views

curl: urlapi: off-by-one in custom scheme validation skips last character

Summary In lib/urlapi.c, the seturlscheme function has an off-by-one error when validating custom scheme names. The validation loop checks scheme0 twice once by ISALPHA, once in the loop and never checks the last character. This allows schemes ending with any arbitrary byte e.g., foo!, bar, bad/ ...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/11 12:40 a.m.13 views

curl: NULL Pointer Dereference (DoS) in libcurl SFTP QUOTE command parsing due to missing return statement

Summary: A logic flaw in lib/vssh/libssh2.c causes a NULL pointer dereference when parsing SFTP QUOTE commands with trailing garbage. The function returnquoteerror is called to handle errors and free memory, but the return keyword is missing in several blocks e.g., lines 840, 857, 870. This allow...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/10 7:58 a.m.18 views

curl: CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap

Summary: CURLOPTUNRESTRICTEDAUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl onl...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/10 7:43 a.m.21 views

curl: Connection Reuse Ignores OAuth Bearer Token Mismatch

Summary: The connection pool reuse function urlmatchconn in lib/url.c checks oauthbearer in its credential match block — but only for protocols marked as requiring per-connection credentials. For HTTP, OAuth bearer is passed as a header, not a protocol-level credential. If a libcurl application...

8.1CVSS6.6AI score0.01914EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/09 1:57 p.m.15 views

Nextcloud: Stored XSS in attachment-display exploitable through SameSite

A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/08 6:38 p.m.10 views

IBM: Potential Subdomain Takeover on IBM.com domain.

A potential subdomain takeover on an IBM.com domain was reported to IBM, analyzed, and remediated...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/08 11:47 a.m.11 views

curl: Use-After-Free in SMB connection reuse (req->path dangling pointer after needle destruction)

Summary A heap-use-after-free occurs in smbsendopen at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smbparseurlpath sets req-path as a non-owning pointer into smbc-share connection-owned memory. During connection reuse, the needle connection is freed via...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2026/03/08 11:32 a.m.21 views

curl: CVE-2026-3805: use after free in SMB connection reuse

Summary A heap-use-after-free occurs in smbsendopen at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smbparseurlpath sets req-path as a non-owning pointer into smbc-share connection-owned memory. During connection reuse, the needle connection is freed via...

7.5CVSS5.8AI score0.00715EPSS
Exploits2
Hacker One
Hacker One
added 2026/03/08 8:8 a.m.15 views

Lovable VDP: Business Logic Bypass Allows Setting “Read Access” Role Without Pro Plan Subscription

A business logic vulnerability was identified that allowed users on a free plan to generate an invitation link that assigned the "Read Access" role, which was intended to be restricted to users with a Pro Plan subscription. The vulnerability was triggered by manipulating the invitation creation...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/08 7:16 a.m.12 views

AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)

Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/03/07 11:44 a.m.11 views

Nextcloud: position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation ...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/07 11:41 a.m.11 views

Nextcloud: Unquoted body background attribute enables CSS injection that bypasses remote image blocking

A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the allowremote option was set to false. The sanitizer failed to quote the value of the background attribute from the email's element, allowing a crafted data: URI to terminate the url function and inject...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/07 11:33 a.m.10 views

Nextcloud: SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/03/06 5:32 p.m.10 views

Rocket.Chat: RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs

Vulnerability description not provided...

4.3CVSS5.7AI score0.00182EPSS
Exploits0
Hacker One
Hacker One
added 2026/03/06 12:52 p.m.10 views

Enjin: Unauthenticated File Upload to CDN

An unauthenticated file upload vulnerability was discovered in the NFT.io platform. The vulnerability allowed an unauthenticated user to upload files to the platform's content delivery network. The issue was reported and promptly fixed by the Enjin team, despite the low-impact nature of the...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/04 2:39 p.m.10 views

AWS VDP: QuickSight Authorization Bypass: Chat Agents Accessible Despite Custom Permissions Denial

A vulnerability was discovered in Amazon Quick Suite formerly QuickSight that allowed users to access and interact with AI chat agents, despite administrative restrictions being in place to disable this functionality. The vulnerability was caused by the lack of proper server-side authorization...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/04 1:29 p.m.12 views

curl: CVE-2026-3784: wrong proxy connection reuse with credentials

Summary libcurl may reuse an existing HTTP proxy CONNECT tunnel without matching proxy credentials when selecting a reusable connection. In lib/url.c, urlmatchproxyuse calls proxyinfomatches lib/url.c:930-935 → lib/url.c:589-595, and that matcher compares proxy type, host, and port but does not...

6.5CVSS5.8AI score0.00302EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/04 12:47 p.m.13 views

curl: In curl's SASL OAUTHBEARER authentication, including the SOH character (0x01) in the username corrupts the message structure.

Summary: This vulnerability arises because curl fails to validate the contents of the username when constructing OAuth2 authentication messages. Depending on the server-side implementation, this could lead to log tampering or credential spoofing. Affected version curl 8.18.0...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/04 7:25 a.m.14 views

curl: LM Challenge-Response Hash Always Sent in SMB Authentication

LM Challenge-Response Hash Always Sent in SMB Authentication Summary The curl SMB client unconditionally computes and sends both the legacy LAN Manager LM and NT challenge-response hashes during SMB session setup. The LM hash is cryptographically broken — it splits the password into two 7-charact...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/03/04 12:41 a.m.20 views

curl: SSTI leads to Command injection

Summary: Hi ,team i 'am new reasercher search for pleasure excuse me for poor technical details. the parmeter os is vulnerable to SSTI leads to command injection Affected version curl/7.55.1 Steps To Reproduce: i tried to injected the os parmeter curl -ospopen'sleep 10'.read --url...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/03 10:21 p.m.14 views

curl: CVE-2026-3783: token leak with redirect and netrc

Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curlauthallowedtohost, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched...

5.3CVSS6.7AI score0.01351EPSS
Exploits4
Hacker One
Hacker One
added 2026/03/03 8:9 a.m.7 views

Node.js: HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`

Vulnerability description not provided...

3.7CVSS5.8AI score0.00359EPSS
Exploits1
Hacker One
Hacker One
added 2026/03/02 8:44 p.m.20 views

Lovable VDP: Open Redirect on lovable.dev via redirect parameter leads to phishing attacks

An open redirect vulnerability was discovered on the website lovable.dev. After logging in, a request was sent to a URL with a 'redirect' parameter. By supplying a backslash-prefixed value for the 'redirect' parameter, the user could be redirected to an external domain. This vulnerability could...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/03/02 7:38 a.m.16 views

Ruby on Rails: ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection

A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation o...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/03/02 12:55 a.m.17 views

curl: Use after free in hyperfifo example

Summary: THIS ONLY IS AN ISSUE IN EXAMPLE CODE, NOT CURL ITSELF! In the hyperfifo example the event base is freed before the curlmulticleanup is called. This leads to a use after free in the addsocket callback, when libevent tries to lock a mutex in the base event during the curl shutdown. Link t...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/02/28 8:7 p.m.14 views

IBM: SQL Injection vulnerability found on ibm.com endpoint

A SQL injection vulnerability was found on an ibm.com endpoint. The vulnerability was reported to IBM, analyzed, and remediated...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/26 2:30 p.m.16 views

curl: Curl Telnet Handler Buffer Overflow

Summary: I found a buffer overflow in curl's telnet protocol handler that allows remote memory corruption without authentication. The bug is in the CURLSBACCUM macro in lib/telnet.c line 69, where the bounds check lets you write one byte past the end of a 512-byte buffer. When curl receives 512+...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2026/02/26 10:53 a.m.15 views

curl: RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload)

Summary: I am submitting this as a security issue primarily due to how it was discovered and that it's my first Curl submission, but I suspect I might be overly cautious here. This issue was discovered as part of the AIXCC competition, and I am assisting on reporting true positive findings to...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/02/26 10:52 a.m.13 views

curl: Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow

Integer Overflow in curlmultigethandles Leading to Heap Buffer Overflow Summary The curlmultigethandles function in lib/multi.c contains an integer overflow vulnerability when the number of easy handles in a multi handle approaches UINTMAX 4,294,967,295. When count == UINTMAX, the expression coun...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2026/02/26 4:11 a.m.16 views

curl: Able to bypass HSTS using trailing dot

Summary: curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. Affected version curl version used for reproducing this issue is: 8.16.0 curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2026/02/25 8:48 a.m.13 views

Nextcloud: Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)

A security inconsistency was identified in the useroidc app where group-based login restrictions were enforced in the browser OIDC flow but not in bearer token validation. This could have allowed users outside whitelisted groups to access the Nextcloud API with a valid bearer token...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/20 10:54 a.m.8 views

Rocket.Chat: Complete authentication bypass to admin permissions

Vulnerability description not provided...

9.8CVSS5.7AI score0.00416EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/18 12:17 p.m.7 views

Node.js: Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)

Vulnerability description not provided...

7.5CVSS6.7AI score0.26356EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/18 7:42 a.m.20 views

GitHub: Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification

A vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. Authorization was verified against the repository in the URL, but the action...

5.3CVSS5.9AI score0.0027EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/17 8:39 p.m.19 views

Node.js: Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`

Vulnerability description not provided...

5.3CVSS6.2AI score0.00146EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/17 8:1 p.m.3 views

Nintendo: Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission

A consensus reflection attack on unordered peer submission was discovered in Splatoon 3, allowing an in-match integrity bypass...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/17 10:22 a.m.15 views

AWS VDP: Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`

Asset: aws-cdk-lib npm package, source: https://github.com/aws/aws-cdk Severity: High CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command, 'OS Command Injection' --- Summary The NodejsFunction construct in aws-cdk-lib/aws-lambda-nodejs constructs a shell command string...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/02/16 10:41 p.m.15 views

Python Cryptographic Authority: Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass

A vulnerability was discovered in the pyopenssl library's handling of the Server Name Indication SNI callback settlsextservernamecallback. The internal wrapper for this callback catches all Python exceptions raised by user code but returns 0 Success/SSLTLSEXTERROK to the underlying OpenSSL engine...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/16 8:11 a.m.13 views

AWS VDP: Arbitrary Code Execution via Scanner Bypass in **aws-diagram-mcp-server** `exec()` Namespace

Description: The aws-diagram-mcp-server contains an arbitrary code execution vulnerability in diagramstools.py. User-supplied Python code is executed via execcode, namespace at line 305 with a namespace containing the full os module, urlretrieve, and Python builtins. A security scanner scanner.py...

6.4AI score
Exploits0
Hacker One
Hacker One
added 2026/02/16 12:22 a.m.15 views

PortSwigger Web Security: HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger

A vulnerability was discovered in the DAST trial request form on the website, where user input in the "First Name" field was not properly sanitized before being included in confirmation emails. This allowed the injection of arbitrary HTML content, which would be rendered in the recipient's email...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/02/15 10:15 p.m.22 views

Node.js: Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS

A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could...

7.5CVSS5.8AI score0.01056EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/10 1:35 p.m.10 views

Monero: Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports

The peerlistmanager::filter function in the Monero project's p2p/netpeerlist.h file contained an incorrect ternary operator that operated on the wrong peer list. When called with 'white=true', it filtered the gray list instead of the white list. As a result, a single host could accumulate unlimit...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/09 8:44 p.m.12 views

Node.js: Assertion error in node_url.cc via malformed URL format leads to Node.js crash

An assertion error in nodeurl.cc via malformed URL format leads to a Node.js crash. A flaw in the URL processing caused an assertion failure in the native code when url.format was called with a malformed internationalized domain name containing invalid characters, crashing the Node.js process. Th...

5.7CVSS6.3AI score0.00325EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/07 3:59 p.m.10 views

Basecamp: Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure

The vulnerability allowed for cross-tenant ActionText reference resolution and data disclosure during the account import flow. The import process did not properly verify the ownership of the referenced records before minting signed global IDs, enabling an attacker to access and disclose data from...

5.8AI score
Exploits0
Total number of security vulnerabilities15365