resolved
Publicly accessible `█████████` endpoint exposing internal user identifiers and email addresses
Bug reported by Mahmoud_kroush (رَجُل المٌسًتَحِيل) was disclosed at February 24, 2026, 8:50 pm | Information Disclosure
A publicly accessible JSON API endpoint was found to expose sensitive user information, including internal identifiers and email addresses. The vulnerability was classified as an information disclosure issue with a medium severity rating. The problem was remediated by implementing proper authentication controls and data minimization practices.
resolved
CVE-█████-35813 in █████
Bug reported by AdeL was disclosed at February 24, 2026, 8:44 pm | Relative Path Traversal
A critical remote code execution vulnerability (CVE-█████-35813) affecting multiple Sitecore products through version 10.3 was discovered. The vulnerability was exploited through the sitecore_xaml.ashx endpoint using ASP.NET TemplateParser injection, allowing attackers to execute arbitrary code. The organization successfully applied the Sitecore security patch, and subsequent retesting confirmed the vulnerability was fully remediated.
resolved
Sensitive information exposed at [███] via /export_panelists_to_xlsx endpoint
Bug reported by Ghost ? was disclosed at February 24, 2026, 8:40 pm | Cleartext Storage of Sensitive Information
A vulnerability was identified that allowed unauthorized access to personally identifiable information through an unprotected API endpoint. The vulnerability exposed user email addresses and telephone numbers. The issue was classified under CWE-312 with a CVSS score of 6.1. The vulnerability was successfully reproduced, validated, and subsequently remediated.
resolved
███████ - Publicly Accessible public_html Directory Exposing WordPress Configuration
Bug reported by Mahmoud_kroush (رَجُل المٌسًتَحِيل) was disclosed at February 24, 2026, 8:27 pm | Information Disclosure
A publicly accessible directory containing sensitive WordPress configuration files, including database credentials, authentication keys, and API secrets, was discovered. The vulnerability allowed unauthorized access to critical system information through a downloadable zip file. The security team validated the report, coordinated remediation, and confirmed the issue was resolved.
resolved
SQLi At `███████` via `theme_name`
Bug reported by was disclosed at February 24, 2026, 7:49 pm | SQL Injection
A SQL injection vulnerability was discovered in a web application's theme selection endpoint through the "theme_name" parameter. Using SQLMap, the vulnerability was demonstrated to be exploitable through both error-based and time-based blind injection attacks against a MySQL database (version 5.1 or newer). The exploitation successfully enumerated several databases, including sensitive repositories for authentication, payment, and security data. The development team implemented fixes using parameterized queries and input validation, and post-remediation testing confirmed the vulnerability was fully resolved.
resolved
SQLi at █████ parameter
Bug reported by AlertHunter was disclosed at February 24, 2026, 7:43 pm | SQL Injection
A SQL injection vulnerability was discovered in an items endpoint that accepted unauthenticated POST requests without CSRF validation. The vulnerability allowed execution of arbitrary SQL commands and extraction of database metadata. Additional security issues included stored XSS through the description parameter and lack of authentication controls. The vulnerability was promptly remediated by the security team.
resolved
No Rate Limiting on Password Attempts After Insecure Registration Flow cause ATO
Bug reported by azarazar was disclosed at February 24, 2026, 7:37 pm | Improper Restriction of Authentication Attempts
An authentication vulnerability was identified that lacked rate limiting controls on password attempts. The flaw allowed unlimited brute force attacks against user accounts without triggering security measures. Attackers could perform consecutive password attempts and distinguish successful authentications through session cookie presence in responses. The vulnerability enabled automated credential validation attacks. The development team successfully remediated the issue by implementing proper rate limiting mechanisms and security controls.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
