resolved
SQL injection in JSONField KeyTransform
Bug reported by Eyal Gabay was disclosed at September 12, 2025, 12:28 am | SQL Injection
A vulnerability was discovered in the JSONField KeyTransform functionality of Django. The vulnerability allowed SQL injection attacks by crafting malicious user input for the .values() method. The vulnerability was demonstrated in the Django test suite, where a SQL syntax error was triggered by inputting a specifically crafted string.
resolved
Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities
Bug reported by Jovan was disclosed at September 11, 2025, 1:59 am | Privilege Escalation
A broken access control vulnerability in TikTok Live Backstage allowed low-privilege users to gain unauthorized control over public leaderboard activities belonging to other organizations.
resolved
Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers).
Bug reported by Ahmed Abd ElRahman was disclosed at September 11, 2025, 1:57 am | Cross-site Scripting (XSS) - Stored
A stored cross-site scripting vulnerability was discovered in TikTok's contact form backend. Malicious code submitted through the form executed when administrators viewed the submission, exposing sensitive internal data such as cookies, API keys, internal paths, emails, and phone numbers.