Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: curl✕

OS Command Injection (subprocess Module Usage)

curl OS Command Injection (CWE-78)

Low

2025-07-07

Credential leak on redirect due to improper state clearing when parsing macdef in netrc.c

curl Information Exposure Through Sent Data (CWE-201)CVE-2024-11053

Low

2025-06-22

CVE-2025-5399: WebSocket endless loop

curl Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)CVE-2025-5399

Low

2025-06-04

CVE-2025-0167: netrc and default credential leak

curl LLM06: Sensitive Information Disclosure CVE-2025-0167 CVE-2024-11053

Low

2025-02-07

CVE-2025-0665: eventfd double close

curl Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)CVE-2025-0665

Low

2025-02-07

CVE-2025-0725: gzip integer overflow

curl Integer Overflow to Buffer Overflow (CWE-680)CVE-2025-0725

Low

2025-02-05

bypass of this Fixed #2437131 [ Inadequate Protocol Restriction Enforcement in curl ]

curl Cleartext Transmission of Sensitive Information (CWE-319)

Low

2024-12-19

CVE-2024-11053: netrc + redirect credential leak

curl Information Disclosure (CWE-200)CVE-2024-11053

Low

2024-12-11

CVE-2024-9681: HSTS subdomain overwrites parent cache entry

curl Business Logic Errors (CWE-840)CVE-2024-9681

Low

2024-11-06

CVE-2024-7264: ASN.1 date parser overread

curl Buffer Over-read (CWE-126)CVE-2024-7264

Low

2024-08-01

CVE-2024-6874: macidn punycode buffer overread

curl Buffer Over-read (CWE-126)CVE-2024-6874

Low

2024-07-24

NULL dereference when encoding DN of x509 certificate

curl NULL Pointer Dereference (CWE-476)

Low

2024-06-19

Incorrect Encoding Conversion in hostname results in indeterminate SSRF vulnerabilities

curl Type Confusion (CWE-843)CVE-2012-1823 CVE-2024-4577

Low

2024-06-18

CVE-2024-2004: Usage of disabled protocol

curl Misinterpretation of Input (CWE-115)CVE-2024-2004

Low

2024-03-27

CVE-2024-2379: QUIC certificate check bypass with wolfSSL

curl Improper Certificate Validation (CWE-295)CVE-2024-2379

Low

2024-03-27

CVE-2024-0853: OCSP verification bypass with TLS session reuse

curl Improper Check for Certificate Revocation (CWE-299)CVE-2024-0853

Low

2024-01-31

CVE-2023-46219: HSTS long file name clears contents

curl Missing Encryption of Sensitive Data (CWE-311)CVE-2023-46219

Low

2023-12-08

CVE-2023-38546: cookie injection with none file

curl External Control of File Name or Path (CWE-73)CVE-2023-38546

Low

2023-10-11

CVE-2023-28321: IDN wildcard match

curl Improper Certificate Validation (CWE-295)CVE-2023-28321

Low

2023-05-18

CVE-2023-28322: more POST-after-PUT confusion

curl Expected Behavior Violation (CWE-440)CVE-2023-28322 CVE-2022-32221

Low

2023-05-18

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence