resolved
Disclose Hidden Comments on Media Section of hub.vroid.com
Bug reported by Giwa was disclosed at January 18, 2026, 11:24 am | Insecure Direct Object Reference (IDOR)
A vulnerability was discovered in the Media section of the website where hidden comments could be disclosed. By intercepting a request to like a specific comment, the attacker was able to retrieve the content of the hidden comment, which should have only been visible to the original poster.
resolved
clickjacing can lead to account takeover
Bug reported by ryu kanzake was disclosed at January 18, 2026, 11:21 am | UI Redressing (Clickjacking)
An endpoint on the website You are not allowed to view links. Register or Login to view. was discovered to be vulnerable to clickjacking. Proof-of-concept code was provided to demonstrate how a user could be tricked into performing unintended actions on the website.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
