Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,220
CVE-linked
1,854
Programs
342
New This Week
8
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: concretecms
SSRF mitigation bypass using DNS Rebind attack
Concrete CMS Server-Side Request Forgery (SSRF) (CWE-918)CVE-2021-22969
Low
2022-11-25
open redirect to a remote website which can phish users
Concrete CMS Open Redirect (CWE-601)
Medium
2022-11-25
SSRF - pivoting in the private LAN
Concrete CMS Server-Side Request Forgery (SSRF) (CWE-918)CVE-2021-22970
Low
2022-11-25
A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution
Concrete CMS CVE-2021-22968
Medium
2021-11-11
Arbitrary File delete via PHAR deserialization
Concrete CMS Deserialization of Untrusted Data (CWE-502)CVE-2021-40102
High
2021-10-20
Stored unauth XSS in calendar event via CSRF
Concrete CMS Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2021-40108
Medium
2021-10-15
Authenticated path traversal to RCE
Concrete CMS Path Traversal (CWE-22)CVE-2021-40097
High
2021-10-15
Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"
Concrete CMS Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2021-40100
Medium
2021-10-04
SSRF bypass
Concrete CMS Server-Side Request Forgery (SSRF) (CWE-918)CVE-2021-22958
Low
2021-10-04
Phar Deserialization Vulnerability via Logging Settings
Concrete CMS Deserialization of Untrusted Data (CWE-502)CVE-2021-36766
Medium
2021-09-24
Fetching the update json scheme from concrete5 over HTTP leads to remote code execution
Concrete CMS Man-in-the-Middle (CWE-300)CVE-2021-40099
High
2021-09-22
Unauthenticated HTML Injection Stored - ContactUs form
Concrete CMS
Medium
2020-09-25
Cross Site Scripting (XSS) Stored - Private messaging
Concrete CMS Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-09-25
Time-base SQL Injection in Search Users
Concrete CMS SQL Injection (CWE-89)
Medium
2020-08-05
Remote Code Execution (Reverse Shell) - File Manager
Concrete CMS Code Injection (CWE-94)
Medium
2020-07-21
Remote Code Execution through Extension Bypass on Log Functionality
Concrete CMS Code Injection (CWE-94)
High
2020-07-03
Stored XSS in the file search filter
Concrete CMS Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-07-03
Stored XSS on express entries
Concrete CMS Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-07-03
Administrators can add other administrators
Concrete CMS Privilege Escalation (CAPEC-233)
None
2020-05-11
XSS in select attribute options
Concrete CMS Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-04-29
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895