resolved
Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net
Bug reported by Aaqib Hussain was disclosed at April 27, 2026, 4:00 am | Improper Access Control - Generic
A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST request. Additionally, the lack of rate limiting or duplicate request validation allowed attackers to spam users by repeatedly sending the same or modified requests.
resolved
Non-premium user can disable Ads in japanese version of dic.pixiv.net
Bug reported by Luis G. Moret Hernandez was disclosed at April 27, 2026, 3:58 am | Business Logic Errors
A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify their ad display preferences without verification of premium status.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
