+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-11-06 (/Thread-HackerOne-Disclosed-Reports-2025-11-06)
HackerOne disclosed reports - 2025-11-06 - hashXploiter - 11-07-2025
resolved
Low-privileged user can enable or disable Lovable AI for new projects in workspace
Bug reported by antonio was disclosed at November 7, 2025, 3:52 am | Improper Authorization
A vulnerability was discovered that allowed low-privileged users to enable or disable Lovable AI for new projects in a workspace. The vulnerability was caused by improper authorization, which enabled low-privileged users to modify the Lovable AI settings by replaying certain API endpoints.
resolved
SQL Injection in Django ORM via Unvalidated `_connector` in Q Objects
Bug reported by Stanley Shaw was disclosed at November 6, 2025, 9:09 pm | SQL Injection
A critical SQL injection vulnerability was discovered in the Django ORM's handling of Q objects. The internal WhereNode.as_sql method used unsafe string formatting to inject the query connector, which could be controlled by an attacker through the _connector key when creating a Q object. This allowed arbitrary SQL to be injected into the WHERE clause, bypassing the ORM's parameterization safeguards.