Reports

106 published reports Critical and High severity All targets anonymized
high Free accounts minted permanent paid-tier perks

Any Account Mints Permanent Premium Reward Perks for Free

A business-logic flaw let any free account mint permanent, signed reward perk URLs for a paid membership tier, with a self-chosen far-future expiry that survived account deletion and had no rate limit.

May 23, 2026
MobileBusiness LogicBroken Access Control
critical Public share link = full chat history takeover

One Public Share Link Unlocks Full Takeover of Any User's AI Chat History

A public share link on a major news site's AI chat product leaked the owner's internal user id, which then unlocked unauthenticated read, planting, and deletion of every conversation that user ever had, including chats that were never shared.

May 22, 2026
WebAuth BypassIDOR
critical Any tenant decrypts any other tenant's secrets

Cross-Tenant KMS Decryption Oracle Recovers Any Customer's Production Secrets

An enterprise identity service exposed encrypt and decrypt endpoints to every tenant under one shared master key with no context binding, letting any customer recover any other customer's live API credentials.

May 20, 2026
Web APICross-TenantKMS
high Cross-session write into any customer's quote

Anonymous Visitor Can Silently Modify Any Customer's Insurance Quote

An insurer's quote-store endpoint accepted writes against any customer's identifier with no ownership check, letting any anonymous visitor silently poison any in-flight quote across five sibling brands.

May 20, 2026
WebIDORAuth Bypass
high Cross-tenant read + write on shared corpus

GraphQL Auth Bypass on Observability Platform Allows Cross-Tenant Read and Write

Three GraphQL resolvers on a feature-flag and observability platform were missing authentication, exposing 15,915 cross-tenant records and accepting persistent writes from any unauthenticated caller.

May 20, 2026
GraphQLAuth BypassMulti-Tenant
critical Anonymous SQLi on hundreds of production tables

Unauthenticated SQL Injection Reads Every Customer Across All Sibling Insurance Brands

A retrieve-quote API was vulnerable to error-based SQL injection on the insurer's production database, exposing hundreds of tables across all sibling brands to unauthenticated reads.

May 19, 2026
WebSQL InjectionAuth Bypass
critical One-click silent ATO across business customers

Wildcard Browser Message Leaks Login Code, Enables Permanent Account Takeover

A wildcard browser message target on a consumer review platform's login popup leaked the authorization code to any cross-origin page, allowing a one-click silent email rebind and permanent business account takeover.

May 19, 2026
WebOAuthAuth Bypass
critical Guess a quote number, get the customer's file

Quote-Number Enumeration Oracle Yields Full Customer PII Across All Sibling Brands

An unauthenticated retrieve-quote endpoint accepted candidate quote numbers and returned full customer PII for valid ones, with no challenge and no rate limit, across five sibling insurance brands.

May 18, 2026
WebAuth BypassEnumeration
critical 26 home records, full card data, in 3 minutes

Mass Extraction of Home-Insurance Customer Records Including Card Data and Bank Details

An auth-bypass flag on a home-insurance retrieve endpoint exposed full customer dossiers including saved card data, mortgagee banks, and direct-debit bank details, with no authentication.

May 17, 2026
WebSensitive Data ExposureAuth Bypass
critical One phone number, full customer dossier

Phone Number Becomes Full Customer File at an Insurance Company

An insurer's message-centre endpoint converted any Australian mobile number into the matching customer's full identifiable record, with no authentication, across five sibling brands.

May 17, 2026
WebPII ExposureEnumeration