Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities

Bug reported by Jovan was disclosed at September 11, 2025, 1:59 am   |   Privilege Escalation

A broken access control vulnerability in TikTok Live Backstage allowed low-privilege users to gain unauthorized control over public leaderboard activities belonging to other organizations.

Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers).

Bug reported by Ahmed Abd ElRahman was disclosed at September 11, 2025, 1:57 am   |   Cross-site Scripting (XSS) - Stored

A stored cross-site scripting vulnerability was discovered in TikTok's contact form backend. Malicious code submitted through the form executed when administrators viewed the submission, exposing sensitive internal data such as cookies, API keys, internal paths, emails, and phone numbers.

337k users and 1 employee leaked credentials

Bug reported by meowsint was disclosed at September 10, 2025, 2:44 pm   |   Information Disclosure

The Khan Academy website experienced a data breach, resulting in the leakage of 337.7k user accounts and one employee account. The leaked credentials, including email addresses and passwords, were discovered on a website called "leakradar.io".

CVE-2025-9086: Out of bounds read for cookie path

Bug reported by Big Sleep was disclosed at September 10, 2025, 6:05 am   |   Buffer Over-read

CVE-2025-10148: predictable WebSocket mask

Bug reported by Calvin Ruocco was disclosed at September 10, 2025, 6:05 am   |   Reusing a Nonce, Key Pair in Encryption