Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: curl
Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth)
curl Information Exposure Through Directory Listing (CWE-548)
Critical
2026-01-14
Gopher Protocol Command Injection (SSRF Smuggling)
curl Server-Side Request Forgery (SSRF) (CWE-918)
High
2026-01-14
Use-After-Free in curl_easy_nextheader when reusing header handle across requests
curl Use After Free (CWE-416)
Unknown
2026-01-14
MQTT: unsigned integer underflow bypasses MAX_MQTT_MESSAGE_SIZE check
curl
Unknown
2026-01-13
integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit
curl Integer Overflow (CWE-190)
High
2026-01-13
Heap Out-of-Bounds Read in lib/http2.c via Malformed PUSH_PROMISE Headers
curl Out-of-bounds Read (CWE-125)
High
2026-01-10
CRLF Injection in HTTP header values allows arbitrary header injection
curl CRLF Injection (CWE-93)
None
2026-01-10
State Isolation Failure in Multiplexed Connections (Shared Auth Context)
curl Exposure of Data Element to Wrong Session (CWE-488)
Critical
2026-01-08
Stack Buffer Overflow in mprintf.c formatting function (fallback path)
curl Classic Buffer Overflow (CWE-120)
High
2026-01-08
inconsistently Rejection Logic in file:// URLs with Authority
curl Path Traversal (CWE-22)
Low
2026-01-08
CVE-2025-14524: bearer token leak on cross-protocol redirect
curl Insufficiently Protected Credentials (CWE-522)CVE-2025-14524
Low
2026-01-07
CVE-2025-15079: libssh global knownhost override
curl Improper Validation of Certificate with Host Mismatch (CWE-297)CVE-2025-15079
Low
2026-01-07
CVE-2025-15224: libssh key passphrase bypass without agent set
curl CVE-2025-15224
Low
2026-01-07
MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait
curl Uncontrolled Resource Consumption (CWE-400)
Low
2026-01-06
Path Traversal in curl file:// Protocol Handler Allows Unauthorized File Access
curl Path Traversal (CWE-22)CVE-2021-22901
High
2026-01-04
Alt-Svc bypasses credential leak protection (CVE-2018-1000007)
curl Information Exposure Through Sent Data (CWE-201)CVE-2018-1000007
High
2026-01-04
PROTOCOL-LEVEL: Persistent UDP Amplification and Cache Poisoning via Alt-Svc Logic Flaw
curl Business Logic Errors (CWE-840)
High
2026-01-02
HTTP Request Smuggling and SSRF via CRLF Injection in Curl_add_custom_headers
curl HTTP Request Smuggling (CWE-444)
High
2026-01-02
CRLF Injection in Gopher Protocol (`lib/gopher.c`)
curl CRLF Injection (CWE-93)
Medium
2026-01-02
MQTT Protocol Violation & Integer Overflow in libcurl
curl Integer Overflow (CWE-190)
High
2026-01-01
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895