Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,222

CVE-linked

1,855

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: curl✕

Format string vulnerability, curl_msnprintf() function

curl Use of Externally-Controlled Format String (CWE-134)

Medium

2025-02-20

Hackers Attack Curl Vulnerability Accessing Sensitive Information

curl Information Disclosure (CWE-200)

Medium

2024-12-27

When curl uses Schannel as TLS backend, it fails to enforce TLS 1.3 cipher suite selections correctly

curl Business Logic Errors (CWE-840)

Medium

2024-11-04

CVE-2024-8096: OCSP stapling bypass with GnuTLS

curl Improper Certificate Validation (CWE-295)CVE-2024-8096

Medium

2024-09-11

CVE-2024-6197: freeing stack buffer in utf8asn1str

curl Free of Memory not on the Heap (CWE-590)CVE-2024-6197

Medium

2024-07-24

Denial of Service in curl Request - HTTP headers eat all memory

curl Allocation of Resources Without Limits or Throttling (CWE-770)

Medium

2024-06-18

cookie is sent on redirect

curl Insufficiently Protected Credentials (CWE-522)

Medium

2024-03-28

HTTP/2 PUSH_PROMISE DoS

curl Uncontrolled Resource Consumption (CWE-400)

Medium

2024-03-27

CVE-2024-2466: TLS certificate check bypass with mbedTLS

curl Improper Validation of Certificate with Host Mismatch (CWE-297)CVE-2016-3739 CVE-2013-4545 CVE-2013-6422 CVE-2014-0139 CVE-2014-1263 CVE-2014-2522 CVE-2014-8151 CVE-2024-2466

Medium

2024-03-27

CVE-2024-2398: HTTP/2 push headers memory-leak

curl Uncontrolled Resource Consumption (CWE-400)CVE-2024-2398

Medium

2024-03-27

CVE-2023-46218: cookie mixed case PSL bypass

curl Information Exposure Through Sent Data (CWE-201)CVE-2023-46218

Medium

2023-12-06

CVE-2023-38039: HTTP header allocation DOS

curl Allocation of Resources Without Limits or Throttling (CWE-770)CVE-2023-38039

Medium

2023-09-13

CVE-2023-32001: fopen race condition

curl Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)CVE-2023-32001

Medium

2023-07-25

CVE-2023-28319: UAF in SSH sha256 fingerprint check

curl Use After Free (CWE-416)CVE-2023-28319

Medium

2023-05-24

Cache purge requests are not authenticated

curl Business Logic Errors (CWE-840)

Medium

2023-05-20

CVE-2023-27535: FTP too eager connection reuse

curl Authentication Bypass by Primary Weakness (CWE-305)CVE-2023-27535

Medium

2023-03-22

CVE-2023-23916: HTTP multi-header compression denial of service

curl Allocation of Resources Without Limits or Throttling (CWE-770)CVE-2023-23916 CVE-2023-23915

Medium

2023-02-20

CVE-2022-43551: Another HSTS bypass via IDN

curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-43551 CVE-2022-42916

Medium

2022-12-21

CVE-2022-42915: HTTP proxy double-free

curl Double Free (CWE-415)CVE-2022-42915

Medium

2022-11-26

CVE-2022-32221: POST following PUT confusion

curl Expected Behavior Violation (CWE-440)CVE-2022-32221

Medium

2022-11-26

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	583	—
Shopify	464	—
curl	440	—
Node.js third-party modules	307	—
GitLab	258	$13,950
X / xAI	250	$2,500
Uber	239	—

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence