Reports

106 published reports Critical and High severity All targets anonymized
high Permanent ATO via genuine reset email

Account Takeover of Any User via Password-Reset Email Injection

A persistent injection into a news site's password-reset email captured the victim's brand-new plaintext password and session cookies the moment they clicked a genuine reset link from the publication itself.

May 15, 2026
WebStored XSSAccount Takeover
critical Worker private key leaked to read-only role

Managed Stream Connector Reads Worker TLS Private Key via Trust-Cert Path

A path field in a managed streaming connector reflected raw worker file contents back through status and logs, leaking the worker TLS private key to read-only project members.

May 15, 2026
Web APILFICloud
critical Five-second paste unlocks every article

Hardcoded Signing Key in Android App Bypasses Paywall for Every Article

A signing key recovered offline from a news publication's Android app let any browser forge a subscriber session token, unlocking every paywalled article with no account and no payment.

May 14, 2026
AndroidHardcoded CredentialsAuth Bypass
critical Claimable scope on production business bundle

Unclaimed Internal Package Scope on a Consumer Review Platform Dashboard

A consumer review platform's business dashboard imported from an unclaimed internal package scope on the public registry, leaving the door open to a supply-chain hijack of every business customer.

May 14, 2026
Supply ChainWebDependency Confusion
critical Tens of thousands of patient records, no login

Unauthenticated Bulk Extraction of Patient Records From a Research Data Portal

Two interactive data-explorer apps on a national clinical-outcomes registry skipped session validation, exposing tens of thousands of patient records with 149 clinical variables to any internet visitor.

May 13, 2026
WebAuth BypassPHI
critical 320 confidential reports read end-to-end

SVG Upload to Bug Bounty Platform Steals Company Manager Session Token

An SVG upload stored verbatim with no content-security policy let a single link click capture a company manager's session token and unlock 320 confidential reports across two programs.

May 13, 2026
WebStored XSSAccount Takeover
high One-tap link to full account takeover

In-App Phishing via Deep-Link SDK Lands Account Takeover on an Events Marketplace

A leaked deep-link key plus an open in-app WebView let an attacker render a fake confirmation page inside the genuine app, trigger a real verification email, and capture the code for full account takeover.

May 12, 2026
AndroidiOSDeep Links
high 316 cross-tenant invoices from one fresh account

Cross-Partner Invoice Read Exposes Years of Financial Records on an Events Marketplace

A self-service signup form plus a broken-authorization invoice API leaked 316 invoice PDFs across 9 unrelated business partners in 6 countries, with records going back to 2017.

May 12, 2026
Web APIIDORAuthorization
critical Real paid orders on ~70% of probed partners

Unauthenticated Privilege Escalation Mints Paid Orders on Partner Books

An unauthenticated B2B signup endpoint on a live-experiences marketplace let any stranger become a manager inside any partner organisation and create real paid orders that were billed to the partner.

May 11, 2026
Web APIAccess ControlPrivilege Escalation
critical Supply-chain hijack reaches checkout, kiosks, CI

Unclaimed npm Scope on Live Payment Bundle and Venue Kiosks

A leaked package manifest on an events marketplace exposed an unclaimed internal scope and wildcard package names reachable from live payment-card collection code, physical venue kiosks, and the build pipeline.

May 8, 2026
Supply ChainWebDependency Confusion