Dark C0d3rs
HackerOne Disclosed Reports - 2026-04-14 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-04-14 (/Thread-HackerOne-Disclosed-Reports-2026-04-14)

HackerOne disclosed reports - 2026-04-14 - hashXploiter - 04-15-2026

Logo
High
resolved

DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover


Bug reported by XavLimSG was disclosed at April 14, 2026, 9:36 pm   |   Cross-site Scripting (XSS) - DOM

A DOM XSS vulnerability was discovered in the file import functionality of the Fizzy application. The vulnerability allowed an attacker to craft a malicious filename that, when previewed by the victim user, would inject a second form submission into the import page. This enabled the attacker to perform actions on the victim's account, such as changing the email address, creating a personal access token, and deleting the account, all using the victim's authenticated session.


Logo
Low
resolved

Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure


Bug reported by XavLimSG was disclosed at April 14, 2026, 7:25 pm   |   Improper Access Control - Generic

The vulnerability allowed for cross-tenant ActionText reference resolution and data disclosure during the account import flow. The import process did not properly verify the ownership of the referenced records before minting signed global IDs, enabling an attacker to access and disclose data from other accounts.


Logo
High
resolved

[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth


Bug reported by Nishant was disclosed at April 14, 2026, 5:54 am   |   Cross-site Scripting (XSS) - Stored

A vulnerability in Cloudflare Access involving the Browser Isolation email field was discovered, which could allow for unauthorized approvals within the Temporary Auth workflow. The issue has been fully remediated.


Logo
High
resolved

[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth


Bug reported by Nishant was disclosed at April 14, 2026, 5:53 am   |  

A vulnerability was discovered in Cloudflare Access that could allow for unauthorized approvals within the Temporary Auth workflow. The issue was resolved after the researcher reported it to Cloudflare.