resolved
Information Disclosure in API Endpoint /users
Bug reported by muhammed abdullah was disclosed at January 12, 2026, 8:48 pm | Information Disclosure
An endpoint (/users) was exposing sensitive user information, including id, first name, last name, email, role, and auth_data, to unauthenticated users. This allowed anyone to retrieve private user details without authentication.
resolved
Publicly Accessible CDN Endpoint Exposing XML Metadata (including ETag)
Bug reported by lord voldemort was disclosed at January 12, 2026, 8:47 pm | Information Disclosure
A publicly accessible CDN endpoint was found that returned raw XML listing of stored objects, including metadata such as Key, LastModified, Size, StorageClass, and ETag. The ETag values, which can contain object hashes, were exposed publicly. This configuration allowed reconnaissance of the underlying storage contents and potential fingerprinting of files.
resolved
Create account without auth via response manipulation
Bug reported by ALI AL-AKBAR was disclosed at January 12, 2026, 8:45 pm | Business Logic Errors
A vulnerability was discovered that allowed creating an account without authentication by manipulating the response. This vulnerability could have been used to create and join an event without the required event code or email verification.
resolved
Information Disclosure via Publicly Accessible Debug Log
Bug reported by Mahmoud_kroush (رَجُل المٌسًتَحِيل) was disclosed at January 12, 2026, 8:44 pm | Information Exposure Through Debug Information
A publicly accessible WordPress debug log file was discovered on the target system. The log file contained PHP warnings and deprecated notices that disclosed sensitive server paths and plugin details. This exposure may have assisted an attacker in fingerprinting the environment or exploiting known vulnerabilities in specific plugins.
resolved
Debug Info disclose
Bug reported by SAQIB_ARIF was disclosed at January 12, 2026, 8:44 pm | Information Exposure Through Debug Information
A debug information disclosure vulnerability was discovered. The vulnerability allowed the disclosure of debug output information through a specific request parameter. The vulnerability has been reported but no further details are provided.
resolved
Reflected XSS Vulnerability in SSL VPN Endpoint — CVE-2025-0133
Bug reported by Karim Mohamed was disclosed at January 12, 2026, 8:43 pm | Cross-site Scripting (XSS) - Reflected
A reflected Cross-Site Scripting (XSS) vulnerability was discovered in a SSL VPN endpoint. The vulnerability was assigned the CVE number CVE-2025-0133. The vulnerability allowed an unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of a victim who clicked on a maliciously crafted link. The affected product and version were not specified.
resolved
Reflected XSS via user Parameter in /ssl-vpn/getconfig.esp
Bug reported by Sayed Abdou was disclosed at January 12, 2026, 8:42 pm | Cross-site Scripting (XSS) - Reflected
A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the user parameter of the /ssl-vpn/getconfig.esp endpoint. This allowed an attacker to inject and execute arbitrary JavaScript in a user's browser. The vulnerability was found on a .mil domain associated with a VPN configuration system. The affected product was the Fortinet FortiGate SSL VPN Web Portal, version 3.0.1-10.
resolved
Reflected XSS via user Parameter on getconfig.esp Endpoint
Bug reported by Sayed Abdou was disclosed at January 12, 2026, 8:41 pm | Cross-site Scripting (XSS) - Reflected
A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /ssl-vpn/getconfig.esp endpoint, where user input in the 'user' parameter was not properly sanitized and allowed the injection of arbitrary JavaScript. This could have enabled remote attackers to execute malicious scripts in the victim's browser.
resolved
XSS on ███
Bug reported by Ø was disclosed at January 12, 2026, 8:40 pm | Cross-site Scripting (XSS) - Reflected
A reflected Cross-Site Scripting (XSS) vulnerability was discovered on the search functionality of the affected system. The vulnerability was triggered by entering a crafted input in the search field. The impact of this vulnerability was the potential execution of arbitrary JavaScript code in the context of the affected website.
resolved
Cross-Site Scripting via URL on ████████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:40 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on a specific system through the GET method. The vulnerability allowed the injection of malicious scripts that could be executed. The provided payload demonstrated the vulnerability. The system host and affected product(s) and version(s) were not specified. No CVE numbers were provided. The mitigation recommended was to apply context-dependent encoding and/or validation to user input rendered on a page.
resolved
Cross-Site Scripting via 'currentImage' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:39 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on a website from the U.S. Navy through the 'currentImage' parameter in the GET method. The vulnerability allowed for the injection of malicious scripts that could potentially be executed. A proof of concept was provided that demonstrated the vulnerability.
resolved
Cross-Site Scripting via 'wikitext' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:38 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in the 'wikitext' parameter of a web application. The vulnerability allowed an attacker to inject malicious scripts that could be executed by the application. No further details were provided regarding the impact or the affected product.
resolved
Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ███████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:37 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in an ASP.NET web application. The issue was caused by improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed the injection of arbitrary JavaScript payloads that could execute in the context of the user's browser.
resolved
Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ███████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:36 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the context of the user's browser.
resolved
Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ██████████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:35 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the context of the user's browser. The vulnerability was triggered using a specially crafted payload.
resolved
Cross-Site Scripting via URL on ███████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:34 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on an official domain from the Department of Defense. The vulnerability could be exploited through the GET method, allowing an attacker to inject malicious scripts that could potentially be executed. No further details were provided.
resolved
Cross-Site Scripting via URL on ███████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:33 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on a website from the U.S. Department of Defense. The vulnerability was found in the GET method via the URL. Exploitation of this vulnerability could have led to the execution of malicious scripts. No further details about the vulnerability or the affected product were provided.
resolved
Cross-Site Scripting via 'RAISED_FUNDS_DESC' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:33 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in the parameter 'RAISED_FUNDS_DESC' through the POST method on the target website. Exploitation of this vulnerability could have led to consequences such as cookie theft and session hijacking. The vendor was notified, and appropriate mitigations were recommended, such as applying context-dependent encoding and/or validation to user input.
resolved
Cross-Site Scripting via 'autoPlay' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:32 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on a website through the 'autoPlay' parameter in the GET method. Exploitation of this vulnerability allowed the injection of malicious scripts that could be executed. A proof-of-concept was provided demonstrating an alert pop-up.
resolved
Cross-Site Scripting via 'description_extra' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:32 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in the 'description_extra' parameter of the application. The vulnerability allowed an attacker to inject malicious scripts that could be executed, potentially leading to unintended consequences. The vulnerability was reported and the necessary mitigation actions were recommended to address the issue.
resolved
Reflected XSS in `Telerik.ReportViewer.axd` with F5 BIG-IP ASM Bypass on `████`
Bug reported by reinhardt was disclosed at January 12, 2026, 8:31 pm | Cross-site Scripting (XSS) - Reflected
A reflected cross-site scripting (XSS) vulnerability was discovered in the Telerik.ReportViewer.axd endpoint on the staging subdomain. The vulnerability was exploited by leveraging an unsupported event handler that was not filtered by the F5 BIG-IP Application Security Manager (ASM) WAF. An obfuscated payload was also used to bypass the WAF's signature-based detection.
resolved
Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ██████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:30 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was identified in an ASP.NET web application. The issue arose from improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the context of the user's browser.
resolved
Cross-Site Scripting (XSS) in ASP.NET via ResolveUrl on ████
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:29 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was identified in an ASP.NET web application. The issue was caused by improper handling of URLs passed to the ResolveUrl method, which failed to sanitize user-controlled input. This allowed injection of arbitrary JavaScript payloads that executed in the context of the user's browser.
resolved
Cross-Site Scripting via 'EVENT_DESCRIPTION' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:26 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in the POST method on the website, specifically through the EVENT_DESCRIPTION parameter. Exploitation of this vulnerability could have led to severe consequences, including session hijacking. The vulnerability was caused by insufficient sanitization of user input rendered on the page.
resolved
exposed FOUO documents, including Passport information
Bug reported by Shay was disclosed at January 12, 2026, 8:25 pm | Information Disclosure
A set of FOUO documents, including a person's passport information, was found posted online. The documents were hosted on various government websites and did not appear to contain highly sensitive information, aside from the passport details. The Distributed Denial of Secrets website was also reported to be leaking "Secret" U.S. documents related to stolen military vehicle number plates.
resolved
Cross-Site Scripting via 'return_link_url' parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:10 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on a website. The vulnerability was found in the 'return_link_url' parameter, which allowed an attacker to inject malicious scripts that could be executed. Exploitation of this vulnerability could have led to consequences such as cookie theft and session hijacking.
resolved
POST XSS - data[account][id] parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:09 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in the POST method through the "data[account][id]" parameter. The vulnerability allowed the injection of malicious scripts that could be executed. The affected system was located on a system host. The vulnerability was not assigned a CVE number.
resolved
POST XSS - data[type] parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:08 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered on a certain system. The vulnerable parameter was data[type], which allowed an attacker to inject malicious scripts that could be executed. The vulnerability was reported and referenced.
resolved
POST XSS - fields[account][firstname] parameter
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:07 pm | Cross-site Scripting (XSS) - Reflected
A cross-site scripting (XSS) vulnerability was discovered in a parameter named "fields[account][firstname]" that was processed via the POST method. The vulnerability allowed the injection of malicious scripts that could be executed when the affected page was loaded. The impact of the vulnerability was not specified.
resolved
Reflected Cross-Site Scripting (XSS)
Bug reported by princeofpersia was disclosed at January 12, 2026, 8:06 pm | Cross-site Scripting (XSS) - Reflected
A reflected cross-site scripting (XSS) vulnerability was discovered. An attacker could have crafted a URL that, when visited, would have triggered a JavaScript alert function, confirming the vulnerability. The vulnerability was present in the affected system. No further details about the affected product or system were provided.
resolved
Cross-Site Scripting via 'fname' parameter in ███
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:05 pm | Cross-site Scripting (XSS) - Reflected
A Cross-Site Scripting (XSS) vulnerability was discovered in the 'fname' parameter of the target application. The vulnerability allowed an attacker to inject malicious scripts that could be executed. Exploitation of this vulnerability could have led to consequences such as cookie theft and session hijacking.
resolved
Sensitive Images & Files Exposed Through Directory Listing
Bug reported by Mohamed Dhanish was disclosed at January 12, 2026, 8:04 pm | Information Exposure Through Directory Listing
During reconnaissance, a directory listing was identified that provided an index of resources located inside the directory. The specific files exposed were not provided. The affected system host was not disclosed.
resolved
Cross-Site Scripting (XSS) Vulnerability via parameter c0-id + Akamai Firewall Bypass
Bug reported by Jonas Dias Rebelo was disclosed at January 12, 2026, 8:03 pm | Cross-site Scripting (XSS) - DOM
A Cross-Site Scripting (XSS) vulnerability was discovered on a specific website. The vulnerability was found in the POST method, allowing the injection of malicious scripts that could be executed. Exploitation of this vulnerability could have led to consequences such as cookie theft and session hijacking. Steps to reproduce the vulnerability were provided, and the vendor was advised to apply context-dependent encoding and/or validation to user input rendered on the page.
![](new
</div>
<!-- start: postbit_signature -->
<div class="signature scaleimages">
<img src="https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif" loading="lazy" width="50" height="50" alt="[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]" class="mycode_img" />
</div>
<!-- end: postbit_signature -->
<div class="post_meta" id="post_meta_409">
<div class="float_right">
</div>
</div>
<span class="post_edit" id="edited_by_409"></span>
</div>
<div class="post_controls">
<div class="postbit_buttons post_management_buttons">
<ul>
<li></li>
<li></li>
<li></li>
<li><!-- start: postbit_quote -->
<a href="newreply.php?tid=338" title="Quote this message in a reply" class="postbit_quote postbit_mirage"><span>Reply</span></a>
<!-- end: postbit_quote --></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
</div>
</div>
</div><!-- -->
<!-- end: postbit --></div>
</td>
</tr>
</table>
<center></center>
<br />
<div class="float_left">
<ul class="thread_tools">
<!-- start: showthread_printthread -->
<li class="printable"><a href="printthread.php?tid=338">View a Printable Version</a></li>
<!-- end: showthread_printthread -->
</ul>
</div>
<div class="float_right" style="text-align: right;">
</div>
<br class="clear" />
<!-- start: showthread_usersbrowsing -->
<br />
<span class="smalltext">Users browsing this thread: 1 Guest(s)</span>
<br />
<!-- end: showthread_usersbrowsing -->
<!-- start: footer -->
<br clear="all">
<script type="text/javascript">
$(document).scroll(function() {
var wd = $(this).scrollTop();
if (wd > 500) {
$(){kind=link}
©2026 - Dark C0d3rs