resolved
Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities
Bug reported by Jovan was disclosed at September 11, 2025, 1:59 am | Privilege Escalation
A broken access control vulnerability in TikTok Live Backstage allowed low-privilege users to gain unauthorized control over public leaderboard activities belonging to other organizations.
resolved
Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers).
Bug reported by Ahmed Abd ElRahman was disclosed at September 11, 2025, 1:57 am | Cross-site Scripting (XSS) - Stored
A stored cross-site scripting vulnerability was discovered in TikTok's contact form backend. Malicious code submitted through the form executed when administrators viewed the submission, exposing sensitive internal data such as cookies, API keys, internal paths, emails, and phone numbers.
resolved
337k users and 1 employee leaked credentials
Bug reported by meowsint was disclosed at September 10, 2025, 2:44 pm | Information Disclosure
The Khan Academy website experienced a data breach, resulting in the leakage of 337.7k user accounts and one employee account. The leaked credentials, including email addresses and passwords, were discovered on a website called "leakradar.io".
resolved
CVE-2025-9086: Out of bounds read for cookie path
Bug reported by Big Sleep was disclosed at September 10, 2025, 6:05 am | Buffer Over-read
resolved
CVE-2025-10148: predictable WebSocket mask
Bug reported by Calvin Ruocco was disclosed at September 10, 2025, 6:05 am | Reusing a Nonce, Key Pair in Encryption