Flawed domain check allowed attacker URL in WebView. Session token stolen in under 2 seconds, valid for 7 months.
Feb 26, 2026Signing secret in APK enabled forged support tokens. KYC docs, IP addresses, and risk scores exposed for any user.
Feb 25, 2026Domain allowlist used substring matching. Attacker domain passed the check, WebView leaked session tokens.
Feb 24, 2026Timing flaw in login verification bypassed email check entirely. Full recovery phrase and private key extracted in 60 seconds.
Feb 23, 2026Unauthenticated webhook endpoint allowed full-read SSRF. Cloud IMDS accessed via redirect bypass, 14 internal hosts mapped.
Feb 21, 2026Anonymous role had read/update/delete on 13 tables. 45,372 wallet addresses with trading volumes exposed.
Feb 21, 2026Dev server in production exposed 6.1MB database with admin credentials, API tokens, and GitHub PAT.
Feb 21, 2026Self-ordering endpoint leaked access tokens. Chained with partner lookup to extract emails, phones, and addresses.
Feb 21, 2026