Reports

106 published reports Critical and High severity All targets anonymized
high Anonymous script on every page, every visitor

Unauthenticated Stored XSS Lets Anyone Rewrite Every Page for Every Visitor

A third-party cookie-consent banner service accepted anonymous edits to its live banner config, which an insurer's site rendered into every page, executing attacker-controlled script for every visitor with no login and no interaction.

Jun 5, 2026
WebStored XSSSupply Chain
high Live location of every driver, no login

Unauthenticated API Exposes Live GPS Location of Every Chauffeur

A drivers-nearby endpoint on a chauffeur service's mobile backend returned the live, sub-meter GPS location of every active driver with no login, enabling bulk fleet mapping and continuous real-time tracking of any individual.

Jun 4, 2026
APIAuth BypassLocation
high Read-only account mints infrastructure creds

Read-Only Role Mints and Destroys Data-Pipeline Agent Credentials

A documented read-only reviewer role on a data integration platform could create and delete the self-hosted agents that route an account's data pipelines, including minting a live data-plane credential, because agent management was never governed by role-based access control.

Jun 4, 2026
Web APIAccess ControlPrivilege Escalation
high Edit one field, take over any account

User-Editable Identity Field Allows Takeover of Any Account

A misconfigured cloud identity provider let any low-privilege self-signup user overwrite the identity field the backend trusted, taking over any account, including a region administrator, with no victim interaction.

Jun 4, 2026
WebAccount TakeoverIAM
high Low-privilege admin reads private case files

Group Admin Injects Any User to Read and Tamper With Private Investigations

A missing management-scope check on a group membership endpoint let a low-privilege group admin inject any same-org user into their group, then read and tamper with that user's private case files and plant a durable sharing policy for covert access.

Jun 3, 2026
Web APIIDORAccess Control
high Internet bypass leaks staff and customer lists

Address-Allowlist Bypass Exposes Internal Metrics, Employee Emails and Customer List

A path-normalization flaw let an unauthenticated attacker on the public internet defeat an address allowlist fronting an internal monitoring endpoint, exposing thousands of employee emails and the full B2B customer roster.

Jun 3, 2026
WebAccess Control BypassData Exposure
high One unauthenticated request to full admin takeover

Unauthenticated Stored XSS to Admin Takeover via a Page-Builder Module

An unauthenticated write to a content management system's visual page-design plugin planted a stored cross-site scripting payload that ran as a logged-in administrator, escalating to backoffice takeover and server-side code execution.

Jun 1, 2026
WebStored XSSCMS
critical No login needed, full database control

Leaked Token to Super-Admin Takeover and Production Database Injection

A secret access key left inside a public website chained into unauthenticated super-admin control of the content system and arbitrary SQL injection on the production database.

May 24, 2026
WebAuth BypassSQL Injection
critical Entire subscriber base exposed from one login

Account-Summary IDOR Leaks Every Subscriber's Details

A missing ownership check let any single login at a mobile carrier read the name, phone number, plan and billing details of every subscriber by changing one number in the request.

May 24, 2026
Mobile + APIIDORPII
critical Zero-knowledge to super-admin in two minutes

Unauthenticated CMS Super-Admin Takeover via Private-Field Oracle

A public content API leaked an administrator's private password-reset token one character at a time, enabling a full unauthenticated takeover of a headless CMS that escalated to production SQL injection.

May 23, 2026
WebAuth BypassSQL Injection