Bug Bounty

HackerOne Bug Bounty Disclosure: privilege-escalation-a-non-owner-user-who-does-not-have-access-to-the-user-management-can-invite-other-users-to-the-restaurant-page-vijaysimha-reddy

January 29, 2025

Company Name: Yelp Company HackerOne URL: https://hackerone.com/yelp Submitted By:vijaysimha-reddyLink to Submitters Profile:https://hackerone.com/vijaysimha-reddy Report Title:Privilege Escalation - A Non Owner User...

HackerOne Bug Bounty Disclosure: disclosure-of-the-valid-cognizant-credentials-at-the-postman-collection-hellicopter

January 29, 2025

Company Name: Cognizant Company HackerOne URL: https://hackerone.com/cognizant Submitted By:hellicopterLink to Submitters Profile:https://hackerone.com/hellicopter Report Title:Disclosure of the valid Cognizant credentials at...

HackerOne Bug Bounty Disclosure: privilege-escalation-a-low-privilege-user-who-does-not-have-access-to-the-user-management-module-can-remove-the-owner-of-the-business-account-vijaysimha-reddy

January 28, 2025

HackerOne Bug Bounty Disclosure: path-traversal-by-drive-name-in-windows-environment-taise

January 27, 2025

Company Name: Node.js Company HackerOne URL: https://hackerone.com/nodejs Submitted By:taiseLink to Submitters Profile:https://hackerone.com/taise Report Title:Path traversal by drive name in Windows...

HackerOne Bug Bounty Disclosure: post-based-cross-site-scripting-on-ibm-research-endpoint-youssifs

January 23, 2025

Company Name: IBM Company HackerOne URL: https://hackerone.com/ibm Submitted By:youssifs7Link to Submitters Profile:https://hackerone.com/youssifs7 Report Title:POST based Cross-Site Scripting on IBM research...

HackerOne Bug Bounty Disclosure: usage-of-unsafe-random-function-in-undici-for-choosing-boundary-parrot

January 23, 2025

Company Name: Node.js Company HackerOne URL: https://hackerone.com/nodejs Submitted By:parrot409Link to Submitters Profile:https://hackerone.com/parrot409 Report Title:Usage of unsafe random function in undici...

HackerOne Bug Bounty Disclosure: -bypass-email-verification-for-monitoring-at-monitor-mozilla-org–d-amrr

January 22, 2025

Company Name: Mozilla Company HackerOne URL: https://hackerone.com/mozilla Submitted By:0d_amrrLink to Submitters Profile:https://hackerone.com/0d_amrr Report Title: Bypass Email verification for monitoring at...

HackerOne Bug Bounty Disclosure: disclosing-policypageassetgroup-in-private-programs-via-graphql-gid-hackerone-policypageassetgroupsindex-policypageassetgroup-id-haxta-ok

January 21, 2025

Company Name: HackerOne Company HackerOne URL: https://hackerone.com/security Submitted By:haxta4ok00Link to Submitters Profile:https://hackerone.com/haxta4ok00 Report Title:Disclosing PolicyPageAssetGroup in Private Programs via /graphql...

HackerOne Bug Bounty Disclosure: worker-permission-bypass-via-internalworker-leak-in-diagnostics-leodog

January 21, 2025

Company Name: Node.js Company HackerOne URL: https://hackerone.com/nodejs Submitted By:leodog896Link to Submitters Profile:https://hackerone.com/leodog896 Report Title:Worker permission bypass via InternalWorker leak in...

HackerOne Bug Bounty Disclosure: cve-apache-airflow-format-string-vulnerability-leixiao

January 18, 2025

Company Name: Internet Bug Bounty Company HackerOne URL: https://hackerone.com/ibb Submitted By:leixiaoLink to Submitters Profile:https://hackerone.com/leixiao Report Title:CVE-2022-40604: Apache Airflow: Format String...

HackerOne Bug Bounty Disclosure: object-level-access-control-leads-to-reading-user-s-full-requests-sessions-and-error-messages-mester-x

January 18, 2025

Company Name: Yelp Company HackerOne URL: https://hackerone.com/yelp Submitted By:mester_xLink to Submitters Profile:https://hackerone.com/mester_x Report Title:Object Level access control leads to reading...

HackerOne Bug Bounty Disclosure: netrc-and-redirect-credential-leak-nyymi

January 15, 2025

Company Name: Internet Bug Bounty Company HackerOne URL: https://hackerone.com/ibb Submitted By:nyymiLink to Submitters Profile:https://hackerone.com/nyymi Report Title:netrc and redirect credential leakReport...

HackerOne Bug Bounty Disclosure: critical-data-breach-big-data-for-all-domains-shezxi

January 14, 2025

Company Name: Basecamp Company HackerOne URL: https://hackerone.com/basecamp Submitted By:shezxiLink to Submitters Profile:https://hackerone.com/shezxi Report Title:Critical Data Breach - Big Data for...

HackerOne Bug Bounty Disclosure: blind-ssrf-vulnerability-in-appstore-release-upload-form-offensiveops

January 14, 2025

Company Name: Nextcloud Company HackerOne URL: https://hackerone.com/nextcloud Submitted By:offensiveopsLink to Submitters Profile:https://hackerone.com/offensiveops Report Title:Blind SSRF Vulnerability in Appstore Release Upload...

HackerOne Bug Bounty Disclosure: waf-bypass-and-java-script-incomplete-handling-of-unicode-characters-might-leads-to-dom-xss-clubbable

January 13, 2025

Company Name: Doppler Company HackerOne URL: https://hackerone.com/doppler Submitted By:clubbableLink to Submitters Profile:https://hackerone.com/clubbable Report Title:WAF bypass and java script incomplete handling...

HackerOne Bug Bounty Disclosure: unauthenticated-path-traversal-and-command-injection-in-trellix-enterprise-security-manager-r-v

January 12, 2025

Company Name: Trellix Company HackerOne URL: https://hackerone.com/trellix Submitted By:r4vLink to Submitters Profile:https://hackerone.com/r4v Report Title:Unauthenticated Path Traversal and Command Injection in...

HackerOne Bug Bounty Disclosure: yet-another-otp-code-leaked-in-the-api-response-tinopreter

January 8, 2025

Company Name: MTN Group Company HackerOne URL: https://hackerone.com/mtn_group Submitted By:tinopreterLink to Submitters Profile:https://hackerone.com/tinopreter Report Title:Yet Another OTP code Leaked in...

HackerOne Bug Bounty Disclosure: otp-code-leaked-in-api-response-tinopreter

January 8, 2025

HackerOne Bug Bounty Disclosure: sql-injection-in-url-path-leads-to-database-access-tinopreter

January 8, 2025

HackerOne Bug Bounty Disclosure: bypass-email-verification-on-add-email-monitoring-dotxml

January 7, 2025

Company Name: Mozilla Company HackerOne URL: https://hackerone.com/mozilla Submitted By:dotxmlLink to Submitters Profile:https://hackerone.com/dotxml Report Title:Bypass Email Verification on Add Email MonitoringReport...

HackerOne Bug Bounty Disclosure: lack-of-url-validation-in-avatarurl-at-v-profile-marcotuliocnd

December 28, 2024

Company Name: Truecaller Company HackerOne URL: https://hackerone.com/truecaller Submitted By:marcotuliocndLink to Submitters Profile:https://hackerone.com/marcotuliocnd Report Title:Lack of URL Validation in avatarUrl at...

HackerOne Bug Bounty Disclosure: -oem-acronis-com-reflected-cross-site-scripting-darkdream

December 28, 2024

Company Name: Acronis Company HackerOne URL: https://hackerone.com/acronis Submitted By:darkdreamLink to Submitters Profile:https://hackerone.com/darkdream Report Title:acroniscom] Reflected Cross Site Scripting Report Link:https://hackerone.com/reports/2038943Date...

HackerOne Bug Bounty Disclosure: a-potential-risk-in-the-aws-lambda-ecs-run-task-which-can-be-used-to-privilege-escalation-zolaer

December 27, 2024

Company Name: AWS VDP Company HackerOne URL: https://hackerone.com/aws_vdp Submitted By:zolaer9527Link to Submitters Profile:https://hackerone.com/zolaer9527 Report Title:A potential risk in the aws-lambda-ecs-run-task...

HackerOne Bug Bounty Disclosure: hackers-attack-curl-vulnerability-accessing-sensitive-information-scottarterbury

December 27, 2024

Company Name: curl Company HackerOne URL: https://hackerone.com/curl Submitted By:scottarterburyLink to Submitters Profile:https://hackerone.com/scottarterbury Report Title:Hackers Attack Curl Vulnerability Accessing Sensitive InformationReport...

Bug Bounty

HackerOne Bug Bounty Disclosure: privilege-escalation-a-non-owner-user-who-does-not-have-access-to-the-user-management-can-invite-other-users-to-the-restaurant-page-vijaysimha-reddy

HackerOne Bug Bounty Disclosure: disclosure-of-the-valid-cognizant-credentials-at-the-postman-collection-hellicopter

HackerOne Bug Bounty Disclosure: privilege-escalation-a-low-privilege-user-who-does-not-have-access-to-the-user-management-module-can-remove-the-owner-of-the-business-account-vijaysimha-reddy

HackerOne Bug Bounty Disclosure: path-traversal-by-drive-name-in-windows-environment-taise

HackerOne Bug Bounty Disclosure: post-based-cross-site-scripting-on-ibm-research-endpoint-youssifs

HackerOne Bug Bounty Disclosure: usage-of-unsafe-random-function-in-undici-for-choosing-boundary-parrot

HackerOne Bug Bounty Disclosure: -bypass-email-verification-for-monitoring-at-monitor-mozilla-org–d-amrr

HackerOne Bug Bounty Disclosure: disclosing-policypageassetgroup-in-private-programs-via-graphql-gid-hackerone-policypageassetgroupsindex-policypageassetgroup-id-haxta-ok

HackerOne Bug Bounty Disclosure: worker-permission-bypass-via-internalworker-leak-in-diagnostics-leodog

HackerOne Bug Bounty Disclosure: cve-apache-airflow-format-string-vulnerability-leixiao

HackerOne Bug Bounty Disclosure: object-level-access-control-leads-to-reading-user-s-full-requests-sessions-and-error-messages-mester-x

HackerOne Bug Bounty Disclosure: netrc-and-redirect-credential-leak-nyymi

HackerOne Bug Bounty Disclosure: critical-data-breach-big-data-for-all-domains-shezxi

HackerOne Bug Bounty Disclosure: blind-ssrf-vulnerability-in-appstore-release-upload-form-offensiveops

HackerOne Bug Bounty Disclosure: waf-bypass-and-java-script-incomplete-handling-of-unicode-characters-might-leads-to-dom-xss-clubbable

HackerOne Bug Bounty Disclosure: unauthenticated-path-traversal-and-command-injection-in-trellix-enterprise-security-manager-r-v

HackerOne Bug Bounty Disclosure: yet-another-otp-code-leaked-in-the-api-response-tinopreter

HackerOne Bug Bounty Disclosure: otp-code-leaked-in-api-response-tinopreter

HackerOne Bug Bounty Disclosure: sql-injection-in-url-path-leads-to-database-access-tinopreter

HackerOne Bug Bounty Disclosure: bypass-email-verification-on-add-email-monitoring-dotxml

HackerOne Bug Bounty Disclosure: lack-of-url-validation-in-avatarurl-at-v-profile-marcotuliocnd

HackerOne Bug Bounty Disclosure: -oem-acronis-com-reflected-cross-site-scripting-darkdream

HackerOne Bug Bounty Disclosure: a-potential-risk-in-the-aws-lambda-ecs-run-task-which-can-be-used-to-privilege-escalation-zolaer

HackerOne Bug Bounty Disclosure: hackers-attack-curl-vulnerability-accessing-sensitive-information-scottarterbury

[MEDUSA] – Ransomware Victim: Simon Property Group

CVE Alert: CVE-2025-12399 – alexreservations – Alex Reservations: Smart Restaurant Booking

CVE Alert: CVE-2025-12099 – academylms – Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

CVE Alert: CVE-2025-9334 – codesolz – Better Find and Replace – AI-Powered Suggestions

CVE Alert: CVE-2025-11967 – getwpfunnels – Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

You may have missed