+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-03-19 (/Thread-HackerOne-Disclosed-Reports-2026-03-19)
HackerOne disclosed reports - 2026-03-19 - hashXploiter - 03-20-2026
resolved
Add labels to arbitrary issues/prs & compromise github actions label checks
Bug reported by ahacker1 was disclosed at March 19, 2026, 9:36 pm | Insecure Direct Object Reference (IDOR)
A vulnerability was identified that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions.
resolved
PATs without the required scope can leak issues
Bug reported by Sergej Ljubojevic was disclosed at March 19, 2026, 6:47 pm | Improper Access Control - Generic
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through organization membership or as a collaborator for the vulnerability to be exploitable.