Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: curl
Directory Traversal Vulnerability in cURL via Content-Disposition Header Processing
curl Path Traversal (CWE-22)
Medium
2025-11-01
Buffer over-read,, Missing NUL termination in addvariable() causes undefined behavior
curl Buffer Over-read (CWE-126)
Unknown
2025-10-31
SOCKS5 Heap Buffer Overflow via Malicious HTTP Redirect with Oversized Hostname
curl Heap Overflow (CWE-122)
Medium
2025-10-31
Logical Flaw in curl_url_set Leads to Inconsistent Query Parameter Encoding
curl Improper Input Validation (CWE-20)
Medium
2025-10-29
Memory leak in Curl_auth_create_ntlm_type3_message
curl Uncontrolled Resource Consumption (CWE-400)
Low
2025-10-28
curl’s persistence files inherit world-readable/writable perms from umask, leaking and tampering with cookies/HSTS/Alt-Svc caches
curl Cleartext Storage of Sensitive Information (CWE-312)
Medium
2025-10-28
libcurl MQTT PUBLISH length overflow (heap overflow)
curl Heap Overflow (CWE-122)
Low
2025-10-28
Cookie exposure due to unexpected file permission change
curl File and Directory Information Exposure (CWE-538)
Medium
2025-10-27
CURLX_SET_BINMODE(NULL) can call fileno(NULL) and cause undefined behavior / crash
curl
High
2025-10-27
Integer Overflow to Heap Overflow in DoH Response Handling
curl Heap Overflow (CWE-122)
Unknown
2025-10-25
Use of Deprecated strcpy() with User-Controlled Environment Variable in Memory Debug Initialization
curl
High
2025-10-22
Use of Deprecated strcpy() with Fixed-Size Buffers in Progress Time Formatting
curl
Medium
2025-10-22
Buffer Overflow in WebSocket Handshake (lib/ws.c:1287)
curl Classic Buffer Overflow (CWE-120)
High
2025-10-21
SMTP Command Injection Vulnerability in libcurl 8.16.0 via RFC 3461 Suffix
curl CRLF Injection (CWE-93)
Unknown
2025-10-17
Missing enforcement of SFTP quote syntax can lead to operation on wrong object
curl Improper Validation of Syntactic Correctness of Input (CWE-1286)
Unknown
2025-10-12
Apple SecTrust legacy path accepts untrusted certificates on pre-10.14 macOS/iOS when built with USE_APPLE_SECTRUST
curl Improper Certificate Validation (CWE-295)
High
2025-10-09
OpenSSL backend: X509 peer certificate not freed in ossl_get_channel_binding causes per-request memory leak (DoS risk for long-lived clients)
curl Uncontrolled Resource Consumption (CWE-400)
Low
2025-10-08
Unsanitized IPFS CID Allows SSRF Against Configured Gateway
curl Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2025-10-03
AWS SigV4 Signature Disclosure via Verbose Logging in libcurl
curl Information Disclosure (CWE-200)
Unknown
2025-10-01
SMTP Command Injection Vulnerabilities in curl
curl Command Injection - Generic (CWE-77)
Unknown
2025-09-26
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895