目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,219
关联 CVE
1,854
参与项目数
342
近 7 天新增
14
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
ignoring 'options' when doing connection reuse
curl Incorrect Comparison (CWE-697)
Unknown
2026-04-05
Data race in Curl_dnscache_add_negative() corrupts shared DNS cache — heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS
curl Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Medium
2026-04-04
Internal application wrapper or script using curl
curl Code Injection (CWE-94)
Critical
2026-04-03
Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning
curl Authentication Bypass by Primary Weakness (CWE-305)CVE-2022-27782CVE-2023-27538
High
2026-04-03
Cookie attribute TAB injection regression in Set-Cookie parsing
curl Improper Input Validation (CWE-20)CVE-2022-35252
Low
2026-04-03
Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl
curl
Unknown
2026-03-31
Use-After-Free race condition in url_move_hostname() via shared connection pool
curl Use After Free (CWE-416)
Medium
2026-03-31
Unauthenticated SSRF via Public Reference API -Sharing Token Bypass
Nextcloud
Unknown
2026-03-31
HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse
curl Authentication Bypass by Primary Weakness (CWE-305)
Unknown
2026-03-31
HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89)
curl Improper Handling of Insufficient Permissions or Privileges (CWE-280)
Medium
2026-03-31
Unbounded GZIP Decompression Leading to Event-Loop Starvation
curl Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
Medium
2026-03-31
SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)
arkadiyt-projects Server-Side Request Forgery (SSRF) (CWE-918)
High
2026-03-31
Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes
arkadiyt-projects Path Traversal (CWE-22)
Medium
2026-03-31
HashDoS in V8
Node.js Cryptographic Issues - Generic (CWE-310)CVE-2026-21717
Medium
2026-03-30
Permission Model Bypass in realpathSync.native Allows File Existence Disclosure
Node.js Information Disclosure (CWE-200)CVE-2026-21715
Low
2026-03-30
Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery
Node.js Cryptographic Issues - Generic (CWE-310)CVE-2026-21713
Medium
2026-03-30
Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`
Node.js Improper Access Control - Generic (CWE-284)CVE-2026-21711
Medium
2026-03-30
Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)
Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2026-21710
High
2026-03-30
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown
Node.js Improper Access Control - Generic (CWE-284)CVE-2026-21716
Low
2026-03-30
Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion
Node.js Missing Release of Memory after Effective Lifetime (CWE-401)CVE-2026-21714
Medium
2026-03-30
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895