resolved
wasResumeUsed ███ on /api-internal/api.htm endpoint leaking other user's resume usage status
Bug reported by Raghav Phadke was disclosed at April 8, 2026, 7:32 pm | Improper Access Control - Generic
The API endpoint that checks if a resume was used for previous job applications was found to be vulnerable. The endpoint accepted a parameter called "resumeMetadataId" which was not properly validated, allowing an attacker to check the usage status of resumes that did not belong to the user. This resulted in the leakage of other users' resume usage status.
resolved
Account Takeover
Bug reported by Abdulrahman Makki was disclosed at April 8, 2026, 7:30 pm | Improper Authentication - Generic
A user's access token from a Facebook/Google app was found to be accepted by the target application, allowing for account takeover. The token was not properly validated, enabling the use of any previously obtained user token to log in to the application.
resolved
Open Redirect ████████
Bug reported by Saurabh Patil was disclosed at April 8, 2026, 6:56 pm | Open Redirect
The URL with the 'redirectUrl' parameter was found to be vulnerable to an open redirect attack. The parameter was not properly validated, allowing an attacker to redirect users to a malicious website of their choice.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
