Dark C0d3rs
HackerOne Disclosed Reports - 2026-04-13 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-04-13 (/Thread-HackerOne-Disclosed-Reports-2026-04-13)

HackerOne disclosed reports - 2026-04-13 - hashXploiter - 04-14-2026

Logo
High
resolved

[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth


Bug reported by Nishant was disclosed at April 14, 2026, 5:54 am   |   Cross-site Scripting (XSS) - Stored

A vulnerability in Cloudflare Access involving the Browser Isolation email field was discovered, which could allow for unauthorized approvals within the Temporary Auth workflow. The issue has been fully remediated.


Logo
High
resolved

[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth


Bug reported by Nishant was disclosed at April 14, 2026, 5:53 am   |  

A vulnerability was discovered in Cloudflare Access that could allow for unauthorized approvals within the Temporary Auth workflow. The issue was resolved after the researcher reported it to Cloudflare.


Logo
Low
resolved

Brave Shields Domain Reordering Leads to Origin Confusion


Bug reported by kali linux was disclosed at April 13, 2026, 7:59 pm   |   Violation of Secure Design Principles

The Brave Shields feature was observed to reorder domain names, leading to potential origin confusion. Specifically, the domain "1.attacker.com" was displayed as "attacker.com.1", and "1.1.1.1.attacker.com" was displayed as "attacker.com.1.1.1.1". This behavior could potentially mislead users about the actual source of the website.


Logo
Medium
resolved

Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute)


Bug reported by Sang Yeong Pyo was disclosed at April 13, 2026, 4:23 pm   |   Insufficiently Protected Credentials

The Nextcloud Desktop Client was found to automatically include user credentials (Authorization header with username and password in Base64) when downloading files via the "directDownloadUrl" feature. This allowed a malicious Nextcloud server to specify an attacker-controlled URL, causing the client to leak the user's credentials to the attacker's server. The root cause was the failure to validate the origin of the "directDownloadUrl" and the lack of setting the "DontAddCredentialsAttribute" for cross-origin requests.