resolved
Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission
Bug reported by Hana was disclosed at July 2, 2026, 1:26 am | Client-Side Enforcement of Server-Side Security
A consensus reflection attack on unordered peer submission was discovered in Splatoon 3, allowing an in-match integrity bypass.
resolved
[Splatoon 3] Kick other players with NplnLogin message
Bug reported by Alex was disclosed at July 2, 2026, 1:25 am | Improper Access Control - Generic
A vulnerability was discovered that allowed players to kick other players from a Splatoon 3 game using an NplnLogin message.
resolved
Exceeding the maximum number of spaces allowed by exploiting a Race Condition in the Workspace creation process
Bug reported by Ali Abbas was disclosed at July 1, 2026, 5:42 pm | Business Logic Errors
A race condition vulnerability was discovered in the workspace creation process of SingleStore. The vulnerability allowed users to bypass the limit of one workspace per organization by sending multiple parallel requests to create workspaces. The lack of server-level locking during the creation process enabled concurrent transactions to bypass the workspace limit. The vulnerability was validated and classified as low severity due to limited practical attack vectors and financial impact. The underlying database transactional logic was subsequently patched to prevent this issue.
resolved
Insecure Direct Object Reference (IDOR) allows creating folders.
Bug reported by Ali Abbas was disclosed at July 1, 2026, 5:41 pm | Insecure Direct Object Reference (IDOR)
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in the backend API of a software product. The vulnerability allowed authenticated users with low privileges to create unauthorized folders and files in other users' workspaces within the same organization. The issue was reported, triaged, and resolved by the security team through the implementation of a patch to properly validate cluster ownership before allowing resource creation.
resolved
Delete any folder for any user within the organization
Bug reported by Ali Abbas was disclosed at July 1, 2026, 5:39 pm | Insecure Direct Object Reference (IDOR)
A vulnerability in the SingleStore backend API allowed low-privileged users to delete folders belonging to other users within the same organization by manipulating the folder_id parameter in DELETE requests. The vulnerability was rated CVSS 3.0 Low (3.8) due to high attack complexity requiring knowledge of two UUIDs, reported on September 22, 2025, triaged on October 2, 2025, and successfully patched by SingleStore on April 21, 2026.
resolved
Privilege Escalation – Access to the Alert Subscribers page for users with low privileges
Bug reported by Ali Abbas was disclosed at July 1, 2026, 5:36 pm | Privilege Escalation
A privilege escalation vulnerability was discovered in the SingleStore Helios alert management system. The vulnerability allowed users with low privileges to access the Alert Subscribers API endpoint and retrieve email addresses and alert severity level preferences of notification subscribers, despite lacking authorization to view this information.
resolved
Improper Input Validation — HTTP Response Parser Unconditionally Accepts Bare CR in Status Line
Bug reported by saif was disclosed at July 1, 2026, 3:39 pm | HTTP Request Smuggling
The llhttp HTTP response parser in Node.js up to version 24.14.1 (llhttp v9.3.0 and v9.3.1) was found to unconditionally accept a bare carriage return (CR) as a valid response status line terminator. This parsing asymmetry was present in the response path but not in the request parsing, enabling potential HTTP response queue poisoning attacks. The vulnerability was triggered in strict mode without requiring any lenient flags.