Reports

106 published reports Critical and High severity All targets anonymized
critical ~22,000 clonable live tickets exportable unauth

Unauthenticated Staging Assistant Leaks 3M Production Ticket Barcodes

An internal analytics assistant API on a staging host was missing authentication while holding production data, exposing 3.3M ticket records and signed download URLs for live future events.

May 8, 2026
Web APIAuth BypassData Exposure
critical Full-database identity leak via one PATCH

Investor Account IDOR Leaks Any User's Identity Record on a Wealth Platform

An authorization check was missing on one sub-path of a wealth platform's investor account API, letting any logged-in user read another user's full identity record and corrupt the victim's display name.

May 8, 2026
WebIDORPII
critical 132 clients' PII exposed

Auth Bypass + IDOR on a Financial Advice Platform Exposes 132 Clients' PII to Any Free Account

A financial advice and superannuation platform's policy disabled customer self-registration, but the backend issued a Client-role session anyway. Two unauthorized data endpoints exposed 615 fact-find records and full client profiles.

May 5, 2026
WebAuthenticationPII Exposure
high Cross-tenant API credential theft

Cross-Tenant Credential Disclosure: Iterable IDs Link Another Customer's API Secrets to Your Account

A chatbot integration accepted another tenant's authorization-object ID with no ownership check. Posting three small numbers exposed cleartext-equivalent Authorization headers for another customer's basic, bearer, and OAuth credentials.

May 1, 2026
WebIDORMulti-Tenant
critical Cloud metadata reachable

Authenticated SSRF Reaches Cloud Metadata Service via DNS Rebinding, Full Response Disclosed

An enterprise SaaS chatbot integration accepted attacker-supplied destination URLs and echoed the upstream response back. DNS rebinding bypassed the IP allow-list and reached the cloud metadata service.

Apr 29, 2026
WebSSRFCloud
critical Cross-tenant secret disclosure

Cross-Tenant Decryption on Shared Master Key: Any Tenant Reads Any Other Tenant's Secrets

An enterprise SaaS platform exposed encrypt and decrypt API endpoints to every authenticated tenant with no role guard and a single global key, letting any customer decrypt any other customer's stored secrets byte-for-byte.

Apr 29, 2026
WebCryptographyMulti-Tenant
critical Anonymous cross-tenant ATO

Writable Tenant Attribute on Public Sign-Up Lets Anyone Pivot Into Any Customer's Account

A public sign-up flow let an anonymous attacker set the tenant ID attribute on their own new account. The backend trusted that claim, granting full directory access to any customer's tenant from a single self-registered account.

Apr 29, 2026
WebAuthenticationMulti-Tenant
high Permanent team destruction

Cross-Tenant Team Takeover: Guest Admin Evicts the Owner and Destroys the Team

An enterprise SaaS platform let a team admin invited from a different customer remove the team's original creator and permanently delete the team. The owner's senior administrator role provided no override.

Apr 29, 2026
WebPrivilege EscalationMulti-Tenant
critical Mass subscriber lookup

Missing Auth on Chatbot Subscription Endpoint Enables Mass Phone-to-SIM Lookup of National Carrier Subscribers

A national mobile carrier's chatbot backend exposed unauthenticated subscriber lookup endpoints, enabling bidirectional resolution between phone numbers and SIM card identifiers, plus account history, plan status, payment status, and roaming status for the entire customer base.

Apr 25, 2026
WebAuthenticationPII Exposure
critical Live transaction harvesting

Unauth IDOR Leaks Live Prepaid Mobile Plan Purchase Records

A national mobile carrier's prepaid backend issued globally-shared sequential purchase keys with no session binding, letting an unauthenticated attacker poll the live transaction database and harvest thousands of customer purchase records per day.

Apr 25, 2026
WebIDORPII Exposure