+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-06-18 (/Thread-HackerOne-Disclosed-Reports-2026-06-18)
HackerOne disclosed reports - 2026-06-18 - hashXploiter - 06-19-2026
resolved
HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors
Bug reported by Tim Perry was disclosed at June 18, 2026, 5:34 pm | Uncontrolled Resource Consumption
A flaw in the Node.js HTTP/2 server API was discovered that could cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affected Node.js 22 and Node.js 24.
resolved
Permission Model Bypass via `process.report.writeReport()` Path Misvalidation
Bug reported by Joseph Semaan was disclosed at June 18, 2026, 2:48 pm | Improper Access Control - Generic
A flaw was discovered in the Node.js permission model that allowed bypassing of security controls via the `process.report.writeReport()` path misvalidation.
resolved
Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering
Bug reported by was disclosed at June 18, 2026, 12:48 pm | Cross-site Scripting (XSS) - Reflected
A reflected XSS vulnerability was reported in the AI chat bot greetings at help.shopify.com. The issue was caused by the rendering of a markdown image in the greeting, which allowed the attacker to inject a payload through the image URL. The vulnerability was addressed by removing the attacker-controlled greeting input path.