Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: nextcloud
see card comments after remove shared board
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37883
Medium
2024-06-18
Events information leaked with shared calendars on recurrence exceptions
Nextcloud Information Disclosure (CWE-200)CVE-2024-37887
Low
2024-06-14
Read-only users can restore old versions
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37315
Medium
2024-06-14
Code injection in Nextcloud Desktop Client for macOS
Nextcloud Code Injection (CWE-94)CVE-2024-37885
Unknown
2024-06-14
ID4me feature of OpenID connect app available even when disabled
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37312
Medium
2024-05-30
Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com
Nextcloud Use of a Broken or Risky Cryptographic Algorithm (CWE-327)CVE-2023-48795
Medium
2024-05-22
OAuth2 "authorization_code" is valid indefinetly
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2024-22403
Low
2024-02-17
Can download files by zipping the folder
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-22404
Medium
2024-02-17
xmlrpc.php &wp-cron.php files are enabled, and will used for (DDOS),(DOS) and broutforce users attack.
Nextcloud XML External Entities (XXE) (CWE-611)
Unknown
2024-02-08
Authentication bypass in Global Site Selector allows an attacker to log in as any user
Nextcloud CVE-2024-22212
Critical
2024-01-18
Improper handling of request URLs in nextcloud/guests allows guest users to bypass app allowlist
Nextcloud Improper Handling of URL Encoding (Hex Encoding) (CWE-177)CVE-2024-22402
Medium
2024-01-18
Non-admin users can reset app allowlist to the default
Nextcloud Business Logic Errors (CWE-840)CVE-2024-22401
Medium
2024-01-18
Open redirect in user_saml via RelayState parameter
Nextcloud Open Redirect (CWE-601)CVE-2024-22400
Low
2024-01-18
Self XSS when sending HTML as a comment in the Deck app
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2024-22213
None
2024-01-18
Bruteforce protection in password verification can be bypassed
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-49792
Medium
2024-01-17
Bypass password confirmation via Context-dependent access control (CDCA)
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-49791
Medium
2024-01-17
Error when editing a calendar appointment returns stacktrace and query
Nextcloud Information Disclosure (CWE-200)CVE-2023-48308
Medium
2024-01-17
Blind SSRF in Mail App
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-48307
Low
2024-01-10
DNS pin middleware can be tricked into DNS rebinding allowing SSRF
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-48306
Medium
2024-01-01
RCE on Wordpress website
Nextcloud Deserialization of Untrusted Data (CWE-502)
Critical
2023-12-28
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895