Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: curl
[SFTP] TOCTOU Race Condition in Upload Resume Logic Leads to Arbitrary File Append
curl Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Medium
2025-11-24
Arbitrary free in curl's config file parsing.
curl
Low
2025-11-23
Out-of-bounds read in HTTP method handling causes undefined behavior and potential crash This is sharp, Gaurav. We’ve got a real memory-safety bug ins
curl Buffer Over-read (CWE-126)
High
2025-11-20
Double free in tool_ssls_load()
curl Double Free (CWE-415)
Unknown
2025-11-18
Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash
curl
Unknown
2025-11-16
Incorrect sizeof() in Rustls Backend Memory Allocation
curl Incorrect Calculation of Buffer Size (CWE-131)
Low
2025-11-15
Off-by-One Buffer Overflow in SMB Path Handler
curl Off-by-one Error (CWE-193)
Medium
2025-11-15
Malicious server forces .curlrc creation via curl -OJ leading to local file exfiltration
curl
Unknown
2025-11-15
libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)
curl Path Traversal (CWE-22)
High
2025-11-11
Hash exposed in public repository
curl Exposed Dangerous Method or Function (CWE-749)
None
2025-11-11
Command Injection - CRITICISM
curl Command Injection - Generic (CWE-77)
Unknown
2025-11-11
Silent TLS Trust Model Hijacking via `CURL_CA_BUNDLE` Environment Variable Leads to MITM
curl Improper Certificate Validation (CWE-295)
Critical
2025-11-11
Arbitrary Configuration File Inclusion: via External Control of File Name or Path
curl External Control of File Name or Path (CWE-73)
Critical
2025-11-10
SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters
curl
Critical
2025-11-10
libcurl MQTT `CURLOPT_POSTFIELDSIZE_LARGE` overflow leads to immediate DoS
curl Integer Overflow (CWE-190)
Medium
2025-11-10
Unsafe use of strcpy in Curl_ldap_err2string (packages/OS400/os400sys.c) — stack-buffer-overflow (PoC + ASan)
curl Classic Buffer Overflow (CWE-120)
Medium
2025-11-10
SMTP CRLF Command Injection in CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT
curl CRLF Injection (CWE-93)
Medium
2025-11-10
CVE-2025-10966: missing SFTP host verification with wolfSSH
curl Improper Certificate Validation (CWE-295)CVE-2025-10966
Low
2025-11-05
HackerOne
curl Array Index Underflow (CWE-129)
None
2025-11-03
Hi Hacker
curl Business Logic Errors (CWE-840)
None
2025-11-03
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895