Lucene search
K
HackeroneRecent

15369 matches found

Hacker One
Hacker One
added 2025/12/09 6:1 p.m.10 views

curl: CVE-2025-14524: bearer token leak on cross-protocol redirect

Summary: A vulnerability exists in libcurl regarding the handling of OAuth2 Bearer tokens CURLOPTXOAUTH2BEARER during HTTP redirects. While libcurl correctly clears standard authentication credentials CURLOPTUSERPWD when following a redirect to a different host, port, or protocol a security...

5.7CVSS7.6AI score0.01595EPSS
Exploits2
Hacker One
Hacker One
added 2025/12/09 3:45 p.m.12 views

Stripo Inc: [Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project.

An unauthorized cross-tenant data access vulnerability was discovered in the Stripo AI Hub Campaign. The vulnerability allowed access to data from a deleted project. The issue was resolved...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2025/12/09 9:43 a.m.21 views

IBM: [RCE] Remote Code Execution via React Server Components Vulnerability CVE-2025-55182

Vulnerability description not provided...

10CVSS7.6AI score0.99562EPSS
Exploits372
Hacker One
Hacker One
added 2025/12/08 6:22 a.m.10 views

Node.js: Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers

A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when asynchooks.createHook was enabled. Instead of reaching process.on'uncaughtException', the process terminated, making the crash unrecoverable...

7.5CVSS5.5AI score0.00624EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/08 1:21 a.m.10 views

Node.js: Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

A vulnerability was discovered in the Fetch API of Node.js that allowed an unbounded number of links in the decompression chain for HTTP responses. This could lead to resource exhaustion, as the default maxHeaderSize allowed a malicious server to insert thousands of compression steps, resulting i...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2025/12/06 9:17 p.m.20 views

curl: Certificate Hostname Validation Bypass via Leading Dot in Hostname

Summary A hostname validation bypass in libcurl's wildcard certificate matching. The hostmatch function fails to handle hostnames starting with a dot, causing .example.com to match .example.com. When hostname starts with ., memchr returns position 0, so the entire hostname including the leading d...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/05 8:9 a.m.14 views

curl: Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle

Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle c / Project | | | | | | / | | | | | | | | | || | , et al. This software is licensed as described in the file COPYING, which you should have received as part of this distribution. The terms are also available at...

8.4AI score
Exploits0
Hacker One
Hacker One
added 2025/12/05 7:47 a.m.12 views

PlayStation: PS4 BD-J privilege escalation using nested JAR

A PS4 vulnerability was discovered in the Blu-ray Disc Java BD-J privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path...

7.4CVSS5.4AI score0.00085EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/04 8:9 p.m.22 views

Enjin: Unauthenticated GraphQL access by prepending __schema to private operations

A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of t...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/12/04 9:55 a.m.17 views

curl: SMTP Protocol Injection via CRLF in CURLOPT_MAIL_FROM leading to Email Spoofing

Voici le rapport complet et finalisé. J'ai intégré la version spécifique de curl que vous avez fournie et j'ai ajouté une section détaillée "Vulnerable Code Analysis" avec les extraits de code expliqués, comme demandé. J'ai retiré la section Impact conformément à votre consigne. Summary: A critic...

8.2AI score
Exploits0
Hacker One
Hacker One
added 2025/12/03 12:21 a.m.16 views

Node.js: CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown

Vulnerability description not provided...

3.3CVSS6.6AI score0.00395EPSS
Exploits0
Hacker One
Hacker One
added 2025/12/01 7:47 p.m.26 views

Automattic: XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution

A cross-site scripting XSS vulnerability was discovered in the Pressable/Atomic Hosting Platform's admin notices feature. Unescaped text output in the atomic-platform.php file allowed arbitrary JavaScript code execution when an administrator updated or set the atomicsingleoptionlimiternotices...

6AI score
Exploits0
Hacker One
Hacker One
added 2025/12/01 1:23 a.m.12 views

Basecamp: Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses

A vulnerability was discovered in the application that allowed authenticated users to supply a URL that the server would fetch for OpenGraph data. The "private network" guard only blocked certain IP ranges, but ignored link-local addresses, enabling server-side requests to be made to those hosts...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/30 7:37 p.m.9 views

Revive Adserver: Broken Access Control allows advertiser accounts to delete trackers they do not own

Vulnerability description not provided...

7.1CVSS6.8AI score0.00227EPSS
Exploits0
Hacker One
Hacker One
added 2025/11/30 8:51 a.m.9 views

Revive Adserver: INI Format string injection in Revive Adserver 6.0.4 settings

Vulnerability description not provided...

2.7CVSS6.8AI score0.0021EPSS
Exploits0
Hacker One
Hacker One
added 2025/11/30 12:7 a.m.25 views

curl: Path Traversal in file:// protocol allows Arbitrary File Read

Summary: The file:// protocol handler in curl does not properly sanitise or block path traversal sequences ../. This allows a maliciously crafted file:// URL to escape the intended directory and access arbitrary files on the filesystem with the permissions of the user running curl. When curl is...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/29 5:6 p.m.14 views

curl: Heap Buffer Overflow in TFTP

Summary: A heap buffer overflow vulnerability exists in the TFTP implementation of libcurl. The vulnerability is triggered when a malicious TFTP server sends an OACK Option acknowledgment packet with a blksize option that is larger than the default block size 512 bytes. libcurl updates its intern...

8.4AI score
Exploits0
Hacker One
Hacker One
added 2025/11/27 8:51 p.m.13 views

Nextcloud: Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes

A vulnerability was discovered in the style sanitizer of Roundcube Webmail that allowed bypassing the sanitizer using CSS character escapes. This enabled the use of arbitrary inline CSS, such as the url function, which could be used to retrieve the IP address and user agent of the person reading...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/11/26 8:34 a.m.21 views

curl: Infinite loop issue in the state machine of the curl project

Summary: Vulnerability impact: When curl attempts to download files from a malicious FTP server, it triggers an infinite loop in the code execution. I discovered this issue in the FTP functionality of the curl project .As described in...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2025/11/26 7:35 a.m.21 views

curl: runs javascript on powershell when it shouldnt

On windows, if I run a curl on powershell for a script that should show alert1 it just executes the script when it shouldn't. I did not use AI to find or report this bug. Affected version on CMD I ran curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel zlib/1.3.1 WinIDN on powershell it...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/22 5:56 a.m.11 views

U.S. Dept Of Defense: Cross-Site Scripting via URL on ████████

A Cross-Site Scripting XSS vulnerability was discovered on a specific system through the GET method. The vulnerability allowed the injection of malicious scripts that could be executed. The provided payload demonstrated the vulnerability. The system host and affected products and versions were no...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2025/11/20 4:39 a.m.18 views

curl: Arbitrary free in curl's config file parsing.

Summary: arbitrary free leading to possible double-free / use-after-free / memory corruption, depending on the program and the ability of what a we can do after freeing the pointer we control. Statement clarifying if an AI was used to find the issue or generate the report: Yes I used AI to list...

7.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/20 3:47 a.m.25 views

curl: Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We’ve got a real memory-safety bug ins

Summary -​‍​‌‍​‍‌​‍​‌‍​‍‌ Component: libcurl core HTTP handling HTTP/2 request translation and CONNECT detection - Type: out-of-bounds read resulting from missing null-termination - Impact: Behavior not defined by the specification, the program can crash DoS and CONNECT requests can be...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/19 9:7 p.m.21 views

Revive Adserver: Username Validation Bypass

Cricetinae Executive Summary The security patch in commit d239a0845e4f64fbacd25fff2854426734d43aa2 is INSUFFICIENT. Testing confirms that 3 out of 4 exploit vectors still bypass validation. --- Vulnerability Details Affected Component: Username validation in user registration/creation File:...

5.4CVSS6.6AI score0.00223EPSS
Exploits1
Hacker One
Hacker One
added 2025/11/19 8:12 a.m.13 views

curl: [SFTP] TOCTOU Race Condition in Upload Resume Logic Leads to Arbitrary File Append

Summary: A Time-of-check to Time-of-use TOCTOU race condition exists in the SFTP upload resume functionality of libcurl. When resuming an upload with CURLOPTRESUMEFROM set to -1 the equivalent of the curl -C - command-line flag, libcurl first performs a STAT operation to determine the remote file...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2025/11/18 9:17 p.m.10 views

IBM: Path Traversal vulnerability identified on IBM endpoint.

A Path Traversal vulnerability was identified on an IBM endpoint. The vulnerability was reported to IBM, analyzed, and has been remediated...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/18 11:19 a.m.16 views

curl: Double free in tool_ssls_load()

Summary: There is a double-free bugs in toolsslsload, which can happen at line 83-84 or 129-130 toolssls.c: c curlfreeshmac; curlfreesdata; The root cause is that line 83-84 did not reset shmac and sdata to NULL. If the seesion is malformed, the double-free will be triggerd. No AI was used to fin...

7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/16 7:32 a.m.16 views

curl: Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash

Summary: There is a double-free in libcurl with rustls. The root cause is reported and it is fixed in https://github.com/curl/curl/pull/19425, while I did not try to evaluate the actual triggering at that time. No AI was used to find the issue or generate the report. Affected version It was...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/15 10:45 p.m.15 views

curl: Incorrect sizeof() in Rustls Backend Memory Allocation

Summary There's a bug in lib/vtls/rustls.c where malloc uses sizeofciphersuites instead of sizeofciphersuites. This allocates memory based on pointer size rather than element size. Steps To Reproduce 1. Look at lib/vtls/rustls.c line 530: c const struct rustlssupportedciphersuite ciphersuites =...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2025/11/15 8:14 p.m.10 views

AWS VDP: Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution

Asset URL: https://github.com/aws/amazon-q-developer-cli/ Summary: Running Q chat from Amazon Q Developer CLI from an attacker-controlled repository/directory that contains a crafted .amazonq/mcp.json enables arbitrary command injection/execution. Amazon Q Developer CLI automatically loads and...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/11/15 7:12 p.m.19 views

curl: Off-by-One Buffer Overflow in SMB Path Handler

Summary Found an off-by-one buffer overflow in lib/smb.c when handling SMB file paths. The bounds check uses instead of =, allowing a path of exactly 1023 bytes to overflow the 1024-byte buffer by one byte when the null terminator is added. Details File: lib/smb.c Function: smbsendopen Lines: 784...

7.6AI score
Exploits0
Hacker One
Hacker One
added 2025/11/15 3:47 p.m.15 views

curl: Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration

Summary: When a user runs curl -OJ , a malicious server can force the response to be saved as .curlrc in the working directory. If the user executes the download from their home directory a common workflow, the attacker overwrites /.curlrc. Subsequent curl invocations automatically load this...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/15 5:49 a.m.10 views

AWS VDP: Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on ██████████

A vulnerability was found in the coupon code system of the ██████████ online store. The coupon code for free shipping could be used multiple times on any number of orders without any restrictions or tracking. This allowed users to bypass shipping charges indefinitely, resulting in a direct...

5.6AI score
Exploits0
Hacker One
Hacker One
added 2025/11/15 2:55 a.m.17 views

M&T Bank Vulnerability Disclosure: HTML Injection in Emails on login.mtb.com via givenName parameter leads to phishing attacks

A vulnerability was found that allowed HTML injection in emails on login.mtb.com via the givenName parameter. This vulnerability could have enabled phishing attacks...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2025/11/14 6:53 p.m.12 views

Django: ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion

ASGIRequest header concatenation quadratic CPU DoS Reporter: Jiyong Yang / BAEKSEOK University Target: Django current main, affects all versions with ASGI support Type: Denial of Service CPU exhaustion Summary django.core.handlers.asgi.ASGIRequest builds the META dictionary by iterating over the...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2025/11/14 9:4 a.m.17 views

Cosmos: Economic DoS (Griefing) on IBC Relayers via `memo` Callback Gas Exploitation

Summary of Impact This vulnerability allows an attacker to bypass the relayer's simulation defense and force permissionless relayers to execute computationally expensive, but 'successful', transactions via the memo callback feature. This creates an asymmetric economic attack where the relayer's...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/13 10:29 p.m.16 views

Cloudflare Public Bug Bounty: AI Playground XSS to steal user-chat messages and access to connected MCP Server

A reflected XSS vulnerability was discovered in the AI Playground OAuth handler due to unescaped interpolation of the errordescription parameter into a script tag. The issue has been patched, and users of the open-source Agents SDK should upgrade to v0.3.10...

5.5AI score
Exploits0
Hacker One
Hacker One
added 2025/11/13 10:4 p.m.12 views

Django: User enumeration via timing attack in Django mod_wsgi authentication backend leads to account discovery

A vulnerability was discovered in the checkpassword function in django/contrib/auth/handlers/modwsgi.py. When a non-existent username was provided, the function returned immediately without performing password verification, leading to a timing attack that allowed attackers to enumerate valid...

5.4AI score
Exploits0
Hacker One
Hacker One
added 2025/11/12 10:46 p.m.13 views

Cloudflare Public Bug Bounty: [Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth

A vulnerability in Cloudflare Access involving the Browser Isolation email field was discovered, which could allow for unauthorized approvals within the Temporary Auth workflow. The issue has been fully remediated...

5.7AI score
Exploits0
Hacker One
Hacker One
added 2025/11/12 12:30 p.m.20 views

LY Corporation: page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise

An open redirect vulnerability was identified in page.line.me because redirect destinations were not properly restricted to trusted domains. This vulnerability could have been abused within an OAuth 2.0 authorization flow to cause the authorization response to be sent to an attacker-controlled...

5.9AI score
Exploits0
Hacker One
Hacker One
added 2025/11/11 4:15 p.m.24 views

lemlist: Authentication Token Theft via Open Redirect in Callback URL Parameter

A vulnerability was identified in the email signup flow of a website that enabled authentication token theft through manipulation of the callback URL parameter. The vulnerability occurred when an attacker modified the callbackUrl parameter during the email signup process to point to an...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/11/11 3:55 p.m.30 views

curl: Hash exposed in public repository

An image hash is publicly exposed on Github Steps to reproduce: See at https://github.com/curl/curl/blob/master/Dockerfile Solution: If you want to keep the hash, the repository should be private Use official tags without specific hashes or environment variables Best, @skymander Impact An attacke...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2025/11/11 3:25 p.m.24 views

AWS VDP: AWS Auto Scaling Service Reporting "AWS Internal" for CloudTrail Events Generated from Specific Endpoints

A vulnerability was discovered in the AWS Auto Scaling service, where 6 API endpoints incorrectly reported the user-agent and network information as "AWS Internal" in CloudTrail logs. This allowed the adversary to perform API calls using these endpoints and evade the logging of their IP address a...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 9:41 p.m.10 views

AWS VDP: Non-Production API Endpoints for the AI Ops Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

The vulnerability found that there are 5 non-production endpoints for the AI Ops service that can be used with standard IAM credentials and do not log to CloudTrail. While the endpoints do not appear to provide access to customer partition data, they can be used for permission enumeration without...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 7:43 p.m.24 views

curl: libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)

ftpparseurlpath in lib/ftp.c URL-decodes FTP path segments e.g. %2e%2e and then splits the decoded path into components using an ad-hoc loop that skips empty components produced by //. The code does not perform canonical path normalization no stack-based handling of . or ... As a result, encoded...

7.3AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 6:4 p.m.18 views

curl: Silent TLS Trust Model Hijacking via `CURL_CA_BUNDLE` Environment Variable Leads to MITM

Summary: curl is vulnerable to silent Man-in-the-Middle MITM attacks due to its design, which implicitly trusts the CA certificate path specified in the CURLCABUNDLE environment variable. This mechanism allows the entire TLS trust model chain of trust of curl to be hijacked without any warning or...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 5:36 p.m.25 views

curl: Command Injection - CRITICISM

Description: The $openssl code in curl 8.17.0.1 allows exploitation. Steps to reproduce: 1 Extract and install curl on Windows. 2 See the code in mk-ca-bundle. Affected: curl:8.17.0.1 SO:Windows 11/10/8 Helped analized: Deep Seek perl $result = "$openssl" dgst -r -sha256 "$0"; Problem: The $0...

7.5AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 3:55 p.m.16 views

curl: Arbitrary Configuration File Inclusion: via External Control of File Name or Path

Summary: The Arbitrary Configuration File Inclusion ACFI vulnerability was identified in the curl utility via the --config option. This flaw is a form of External Control of File Name or Path CWE-73, occurring due to the lack of adequate validation on the user-supplied configuration file path. An...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 3:11 p.m.23 views

curl: SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters

SMTP CRLF Injection Vulnerability in curl/libcurl Vulnerability ID: CURL-SMTP-CRLF-2024 CWE-93: Improper Neutralization of CRLF Sequences Executive Summary curl/libcurl contains a CRLF injection vulnerability in its SMTP implementation that allows attackers to inject arbitrary SMTP commands by...

7.8AI score
Exploits0
Hacker One
Hacker One
added 2025/11/10 1:36 p.m.21 views

curl: Unsafe use of strcpy in Curl_ldap_err2string (packages/OS400/os400sys.c) — stack-buffer-overflow (PoC + ASan)

I've provided the detailed description and clear steps previously, but it seems you need the content tailored directly for the submission form's fields. I will present the complete, professional, and detailed response suitable for reporting a memory corruption vulnerability to a vendor or bug...

8.3AI score
Exploits0
Total number of security vulnerabilities15369