Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-01-14
Full Version: HackerOne Disclosed Reports - 2026-01-14
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

01-15-2026, 12:30 PM
Logo
Medium
resolved

Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes


Bug reported by SomeRandomDeveloper was disclosed at January 14, 2026, 1:05 pm   |   Information Disclosure

A vulnerability was discovered in the style sanitizer of Roundcube Webmail that allowed bypassing the sanitizer using CSS character escapes. This enabled the use of arbitrary inline CSS, such as the `url()` function, which could be used to retrieve the IP address and user agent of the person reading the email.


Logo
Medium
resolved

[revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter


Bug reported by Patrick was disclosed at January 14, 2026, 10:51 am   |   Cross-site Scripting (XSS) - Reflected


Logo
Medium
resolved

Reflected XSS in banner-acl.php and channel-acl.php via executionorder


Bug reported by Patrick was disclosed at January 14, 2026, 10:51 am   |   Cross-site Scripting (XSS) - Reflected


Logo
Medium
resolved

Reflected XSS in afr.php


Bug reported by Huynh Pham Thanh Luc was disclosed at January 14, 2026, 10:50 am   |   Cross-site Scripting (XSS) - Reflected


Logo
High
resolved

Broken Access Control allows advertiser accounts to delete trackers they do not own


Bug reported by Jad Ghamloush was disclosed at January 14, 2026, 10:49 am   |   Improper Access Control - Generic


Logo
Low
resolved

INI Format string injection in Revive Adserver 6.0.4 settings


Bug reported by Faraz Ahmed was disclosed at January 14, 2026, 10:48 am   |   Use of Externally-Controlled Format String


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-01-14