Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: nextcloud✕

Username Enumeration

Nextcloud Information Disclosure (CWE-200)

Low

2019-11-11

WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (UNAUTHORIZED)

Nextcloud Information Disclosure (CWE-200)

Low

2019-11-11

Exposing debug.log file leads to server full path disclosure

Nextcloud Information Disclosure (CWE-200)

Low

2019-10-17

Veracode and security audit record are publicly available

Nextcloud Insecure Storage of Sensitive Information (CWE-922)

Low

2019-09-10

Content Spoofing /Text Injection in https://docs.nextcloud.com

Nextcloud Violation of Secure Design Principles (CWE-657)

Low

2019-09-05

Delete permission can be added on reshare

Nextcloud Privilege Escalation (CAPEC-233)

Low

2019-09-03

Passwords being stored as plain text in logging

Nextcloud Cleartext Storage of Sensitive Information (CWE-312)

Low

2019-08-31

SQLi allow query restriction bypass on exposed FileContentProvider

Nextcloud SQL Injection (CWE-89)CVE-2019-15622

Low

2019-07-29

Gallery: No feedback for invalid password

Nextcloud Business Logic Errors (CWE-840)

Low

2019-07-27

Able to bypass "Device credentials" Lock

Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-5451

Low

2019-07-26

Combination of content provider allows private data disclosure

Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-5452

Low

2019-07-26

Bypassing lock protection

Nextcloud Improper Authentication - Generic (CWE-287)CVE-2019-5455

Low

2019-07-26

SQL Injection found in NextCloud Android App Content Provider

Nextcloud SQL Injection (CWE-89)CVE-2019-5454

Low

2019-07-26

Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock

Nextcloud Information Disclosure (CWE-200)CVE-2019-5453

Low

2019-07-26

Click Jacking Nextcloud

Nextcloud UI Redressing (Clickjacking) (CAPEC-103)

Low

2019-07-01

Private/confidential setting of calendar events is ignored on activity stream

Nextcloud Information Disclosure (CWE-200)

Low

2019-06-27

Stored XSS in OAuth redirect URI

Nextcloud Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2019-05-11

Information Exposure Through Directory Listing - https://apps.nextcloud.com/static/

Nextcloud Information Exposure Through Directory Listing (CWE-548)

Low

2019-01-07

Session fixation in password protected public download.

Nextcloud Session Fixation (CWE-384)CVE-2018-16463

Low

2018-10-25

twofactor_auth bypassable if provider fails to load

Nextcloud Improper Authentication - Generic (CWE-287)CVE-2018-16465

Low

2018-09-27

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence