Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-05-30
Full Version: HackerOne Disclosed Reports - 2026-05-30
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

11 hours ago
Logo
Medium
resolved

Blind POST SSRF via Web Push Notification Endpoint


Bug reported by Miso Poop was disclosed at May 30, 2026, 4:47 pm   |   Server-Side Request Forgery (SSRF)

A vulnerability was discovered in phpBB 4.0.0-alpha1 that allowed registered users to register arbitrary URLs as their Web Push notification endpoint. The endpoint URL was stored without validation and later used by the phpBB server to send outbound HTTP POST requests, potentially leading to blind POST server-side request forgery (SSRF) vulnerabilities.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-05-30