Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Tables app allowed users to view columns metadata information of any table
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2025-66553
Medium
2025-12-05
Participants were able to blindly delete poll drafts of other users by ID
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2025-66556
Medium
2025-12-05
Approval app allows users to request approval for other users file
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2025-66515
Medium
2025-12-05
Nextcloud Tables v1 Share Enumeration Without Authorization (Regression of CVE-2024-52507)
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2025-66513
Low
2025-12-05
SMTP Protocol Injection via CRLF in CURLOPT_MAIL_FROM leading to Email Spoofing
curl CRLF Injection (CWE-93)
Unknown
2025-12-04
Potential SQL Injection when annotating FilteredRelation on PostgreSQL
Django SQL Injection (CWE-89)CVE-2025-57833CVE-2025-59681
High
2025-12-02
[my.stripo.email] Blind SSRF Vulnerability in Stripo App Export via Missing Endpoints Export Email Message to Zapier
Stripo Inc Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2025-12-01
Path Traversal in file:// protocol allows Arbitrary File Read
curl Path Traversal (CWE-22)
High
2025-12-01
Heap Buffer Overflow in TFTP
curl Heap Overflow (CWE-122)
Critical
2025-12-01
Username Validation Bypass
Revive Adserver Improper Authentication - Generic (CWE-287)CVE-2025-55129
Medium
2025-11-26
Infinite loop issue in the state machine of the curl project
curl
Unknown
2025-11-26
runs javascript on powershell when it shouldnt
curl Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)
Unknown
2025-11-26
High resource consumption by insufficient sanitization of forum threads pagination
Flickr Allocation of Resources Without Limits or Throttling (CWE-770)
Medium
2025-11-24
[SFTP] TOCTOU Race Condition in Upload Resume Logic Leads to Arbitrary File Append
curl Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Medium
2025-11-24
Arbitrary free in curl's config file parsing.
curl
Low
2025-11-23
Improper bot-authentication allows to impersonate any user when sending messages in a room
Basecamp Improper Authentication - Generic (CWE-287)
High
2025-11-21
Path traversal via archive.extract - CVE 2021-3281 incomplete patch
Django Path Traversal (CWE-22)CVE-2021-3281
Low
2025-11-21
Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We’ve got a real memory-safety bug ins
curl Buffer Over-read (CWE-126)
High
2025-11-20
Lack of minimum value bid wheel verification on customer_bid in Rental Trips
Bykea Business Logic Errors (CWE-840)
Low
2025-11-20
Customer can cancel a individual booking in a batch, causing locking of partner.
Bykea Business Logic Errors (CWE-840)
Medium
2025-11-20
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895