IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.

Bug reported by Jh0n was disclosed at April 27, 2026, 1:29 pm   |   Information Disclosure

The IBM Aspera HTTP Gateway stored sensitive information in clear text in easily obtainable files, which could be read by an unauthenticated user. The issue was submitted to IBM, analyzed, and remediated.

Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org

Bug reported by Aman Bhuiyan was disclosed at April 27, 2026, 9:43 am   |   Improper Input Validation

A restricted keyword bypass vulnerability was discovered on the Firefox Add-ons platform that allowed an attacker to register a display name visually identical to "Mozilla" by using a Unicode homoglyph character. This circumvented the intended restriction and could have been used to impersonate official accounts.

Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net

Bug reported by Aaqib Hussain was disclosed at April 27, 2026, 4:00 am   |   Improper Access Control - Generic

A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST request. Additionally, the lack of rate limiting or duplicate request validation allowed attackers to spam users by repeatedly sending the same or modified requests.

Non-premium user can disable Ads in japanese version of dic.pixiv.net

Bug reported by Luis G. Moret Hernandez was disclosed at April 27, 2026, 3:58 am   |   Business Logic Errors

A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify their ad display preferences without verification of premium status.