Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-04-23
Full Version: HackerOne Disclosed Reports - 2026-04-23
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

6 hours ago
Logo
High
resolved

Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS


Bug reported by mbarbs was disclosed at April 23, 2026, 10:21 pm   |  

A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could lead to a Remote Denial of Service when an SNICallback threw synchronously on unexpected input, causing the exception to bypass TLS error handlers and propagate as an uncaught exception, crashing the Node.js process.


Logo
Medium
resolved

RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs


Bug reported by Arccode was disclosed at April 23, 2026, 9:45 am   |   Improper Access Control - Generic


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-04-23