Dark C0d3rs - All Forums

HackerOne Disclosed Reports - 2026-06-20

Sun, 21 Jun 2026 07:00:04 +0000

Critical
resolved

1-Click Account Takeover via Open Redirect through Regex Bypass in Domain Validation

Bug reported by Duarte was disclosed at June 20, 2026, 3:58 pm | Improper Access Control - Generic

A vulnerability was discovered in the Khan Academy platform that allowed an attacker to achieve full account takeover of any user. The vulnerability was caused by an unescaped dot flaw in the regular expression used to validate redirect URLs. This allowed the attacker to register a malicious domain that passed the validation check, causing the victim's authentication token to be sent to the attacker's server. The attacker could then use this token to gain full access to the victim's account. The issue was addressed by escaping the dots in the regular expression.

HackerOne Disclosed Reports - 2026-06-18

Fri, 19 Jun 2026 07:00:04 +0000

Medium
resolved

HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors

Bug reported by Tim Perry was disclosed at June 18, 2026, 5:34 pm | Uncontrolled Resource Consumption

A flaw in the Node.js HTTP/2 server API was discovered that could cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affected Node.js 22 and Node.js 24.

Low
resolved

Permission Model Bypass via `process.report.writeReport()` Path Misvalidation

Bug reported by Joseph Semaan was disclosed at June 18, 2026, 2:48 pm | Improper Access Control - Generic

A flaw was discovered in the Node.js permission model that allowed bypassing of security controls via the `process.report.writeReport()` path misvalidation.

Medium
resolved

Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering

Bug reported by was disclosed at June 18, 2026, 12:48 pm | Cross-site Scripting (XSS) - Reflected

A reflected XSS vulnerability was reported in the AI chat bot greetings at help.shopify.com. The issue was caused by the rendering of a markdown image in the greeting, which allowed the attacker to inject a payload through the image URL. The vulnerability was addressed by removing the attacker-controlled greeting input path.

HackerOne Disclosed Reports - 2026-06-17

Thu, 18 Jun 2026 07:00:04 +0000

High
resolved

Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql

Bug reported by AB was disclosed at June 17, 2026, 2:17 pm | Code Injection

The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sort_query argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the script's return value determined the document ordering in the search results.

HackerOne Disclosed Reports - 2026-06-16

Wed, 17 Jun 2026 07:00:04 +0000

High
resolved

Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file

Bug reported by eldudarino was disclosed at June 16, 2026, 9:47 am | Improper Authentication - Generic

Low
resolved

Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown

Bug reported by was disclosed at June 16, 2026, 7:16 am | Uncontrolled Resource Consumption

A vulnerability was discovered in Tor's Conflux OOO queue accounting. The vulnerability could cause the global OOO queue byte counter to remain inflated after a Conflux set was torn down, even though the memory had already been freed. This was due to a lack of accounting updates during the teardown process. No sensitive information was included in the report.

HackerOne Disclosed Reports - 2026-06-11

Fri, 12 Jun 2026 07:00:03 +0000

High
resolved

Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`

Bug reported by was disclosed at June 11, 2026, 4:54 pm | OS Command Injection

Critical
resolved

RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml — Direct Supply Chain to All DDG Browsers

Bug reported by Griffin was disclosed at June 11, 2026, 2:30 pm |

A vulnerability was discovered in the "auto-respond-pr.yml" GitHub Actions workflow of the "privacy-configuration" repository. The workflow used the "pull_request_target" trigger, which checked out the fork's repository as both the "base" and "PR" branches. This allowed an attacker to control the code executed by the workflow, leading to arbitrary code execution and the exposure of the "PRIVACY_CONFIG_PAT" secret. The exposed token was likely used for PR auto-approval, enabling the attacker to approve their own PRs and access private repository contents. The vulnerability also resulted in the unconditional exposure of additional secrets, such as "ASANA_ACCESS_TOKEN" and "GH_RO_PAT", when a fork PR was closed.

Critical
resolved

RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml — Affects All DuckDuckGo Browsers

Bug reported by Griffin was disclosed at June 11, 2026, 2:28 pm |

A vulnerability was discovered in the DuckDuckGo content-scope-scripts repository's GitHub Actions workflow. The workflow used the pull_request_target trigger without access controls, allowing untrusted code from fork pull requests to be checked out and executed. This could have led to remote code execution and the potential exfiltration of sensitive information, such as API keys, on the runner. The vulnerability also could have been exploited to manipulate the automated release pipeline, potentially compromising all DuckDuckGo browsers and extensions across multiple platforms.

Medium
resolved

SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function

Bug reported by KT was disclosed at June 11, 2026, 11:52 am | Server-Side Request Forgery (SSRF)

A vulnerability was discovered in Rocket.Chat version 7.10.1 where the oEmbed feature did not properly validate redirected URLs. This allowed an attacker to bypass SSRF protections and access internal network resources that would otherwise be unreachable.

High
resolved

SSRF via improper validation after DNS name resolution in the link-preview feature

Bug reported by KT was disclosed at June 11, 2026, 11:52 am | Server-Side Request Forgery (SSRF)

The link-preview feature in Rocket.Chat version 7.11.0 did not properly validate the IP address after DNS resolution. This allowed an attacker to obtain a domain that pointed to an internal IP address, triggering SSRF and enabling access to internal hosts that would otherwise be unreachable.

HackerOne Disclosed Reports - 2026-06-09

Wed, 10 Jun 2026 07:00:03 +0000

Low
resolved

Action Text ReDoS (Ruby 3.1 or lower)

Bug reported by ooooooo_q was disclosed at June 9, 2026, 4:37 am | Uncontrolled Resource Consumption

A vulnerability was discovered in the ActionText component of the Rails web framework for Ruby versions 3.1 and lower. The vulnerability was caused by a Regular Expression Denial of Service (ReDoS) issue in the plain_text_for_blockquote_node method. This method was used in the ActionText::Fragment#to_plain_text functionality. The vulnerability could be triggered by crafting malicious text and calling the to_plain_text method. The vulnerability was resolved in later versions of Ruby.

HackerOne Disclosed Reports - 2026-06-08

Tue, 09 Jun 2026 07:00:04 +0000

Low
resolved

Action Text ReDoS (Ruby 3.1 or lower)

Bug reported by ooooooo_q was disclosed at June 9, 2026, 4:37 am | Uncontrolled Resource Consumption

HackerOne Disclosed Reports - 2026-06-07

Mon, 08 Jun 2026 07:00:04 +0000

Medium
resolved

Valid share tokens allow to access tempory upload files of share owner

Bug reported by Pirikara was disclosed at June 7, 2026, 9:31 am | Improper Access Control - Generic

A vulnerability was discovered that allowed access to temporary upload files of a share owner using valid share tokens.

High
resolved

Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

Bug reported by priyanka chandrakar was disclosed at June 7, 2026, 9:16 am | Improper Authentication - Generic

An authentication bypass vulnerability was discovered in the ID4me handling in the OIDC implementation. The vulnerability was caused by missing JWT signature verification for user authentication.

Medium
resolved

PIN bypass in PassCodeActivity via back button

Bug reported by Alper Öztürk was disclosed at June 7, 2026, 8:14 am | Improper Authentication - Generic

A vulnerability was discovered in the PassCodeActivity of a certain application. The vulnerability allowed bypassing the PIN code by pressing the back button.

HackerOne Disclosed Reports - 2026-06-05

Sat, 06 Jun 2026 07:00:03 +0000

High
resolved

DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version)

Bug reported by Suphawith Phusanbai was disclosed at June 5, 2026, 9:10 am | Uncontrolled Search Path Element

A DLL side-loading vulnerability was discovered in Sony Music Center for PC Ver. 2.7.2. The application insecurely searched for a missing DLL file in the system PATH environment, allowing an attacker with access to the victim's local machine to achieve arbitrary code execution by placing a malicious DLL file in the PATH. The vulnerability was referenced in the MITRE ATT&CK framework.

HackerOne Disclosed Reports - 2026-06-03

Thu, 04 Jun 2026 07:00:04 +0000

Medium
resolved

Missing access control when linking banners or campaigns to zones

Bug reported by Ahmed Ghadban was disclosed at June 3, 2026, 1:35 pm | Improper Access Control - Generic

A missing access control check was identified when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API. This could have allowed a low-privileged user to link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.

Medium
resolved

Missing access control when linking trackers to campaigns

Bug reported by Ahmed Ghadban was disclosed at June 3, 2026, 1:35 pm | Improper Access Control - Generic

A missing access control check was reported when linking trackers to campaigns through the "campaign-trackers.php" script of Revive Adserver 6.0.6 and earlier. A low-privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.

High
resolved

Blind SQL injection via clientid parameter in zone‑include.php

Bug reported by Kaushalendra Dubey was disclosed at June 3, 2026, 1:34 pm | SQL Injection

Medium
resolved

Reflected XSS via clientid parameter in zone‑include.php

Bug reported by Kaushalendra Dubey was disclosed at June 3, 2026, 1:34 pm | Cross-site Scripting (XSS) - Reflected

High
resolved

PHP code injection via delivery limitation logical

Bug reported by 0x4C616E was disclosed at June 3, 2026, 1:33 pm | Code Injection

Medium
resolved

Stored XSS via Full Name field in userlog email entries

Bug reported by was disclosed at June 3, 2026, 1:33 pm | Cross-site Scripting (XSS) - Stored

Medium
resolved

Session ID reuse allowing XML‑RPC API authentication bypass

Bug reported by 0x4C616E was disclosed at June 3, 2026, 1:33 pm | Improper Authentication - Generic

Medium
resolved

Missing access control when modifying parent entities via XML‑RPC

Bug reported by was disclosed at June 3, 2026, 1:32 pm | Improper Access Control - Generic

Medium
resolved

Banner status override by advertiser‑level users

Bug reported by Vertical was disclosed at June 3, 2026, 1:32 pm | Improper Access Control - Generic

A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edit permissions.

High
resolved

PHP code injection via unexpected delivery limitation parameter

Bug reported by rajib mahmud was disclosed at June 3, 2026, 1:29 pm | Code Injection

A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the `compiledlimitations` field, which could then be executed during banner delivery.

The AI Red Team Walkthrough: From Jailbreaks to Agent Compromise

Wed, 03 Jun 2026 07:14:42 +0000

HackerOne Disclosed Reports - 2026-06-02

Wed, 03 Jun 2026 07:00:05 +0000

High
resolved

page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise

Bug reported by Natthakul Raingoen was disclosed at June 2, 2026, 3:30 am |

An open redirect vulnerability was identified in page.line.me because redirect destinations were not properly restricted to trusted domains. This vulnerability could have been abused within an OAuth 2.0 authorization flow to cause the authorization response to be sent to an attacker-controlled endpoint, potentially exposing the authorization code issued after successful user authentication.

Certification Exam Opportunity 100% OFF: Certified LLM Security Professional (CLLMSP)

Wed, 03 Jun 2026 06:33:40 +0000

Large Language Models are changing the way organizations build, automate, and secure technology. But with this innovation comes a new class of security risks, including prompt injection, jailbreaks, tool poisoning, insecure AI agents, RAG data leakage, shadow AI, and MCP security issues.

The Certified LLM Security Professional (CLLMSP) exam was designed for professionals who want to understand, test, secure, and govern LLM-powered systems in real-world environments.

This certification covers key areas such as:
• LLM architecture and security fundamentals
• OWASP Top 10 for LLMs
• Jailbreak attacks and defenses
• MCP security
• AI agents and orchestration risks
• AI governance, NIST AI RMF, ISO/IEC 42001, and EU AI Act
• Data privacy and compliance
• Secure AI-assisted development
• Incident response for AI systems

The exam includes 200 questions across 9 domains and is built for Security Engineers, AI/ML Engineers, Red Teamers, Pentesters, DevSecOps professionals, GRC teams, CISOs, and anyone working with AI security.

Use the coupon below to take the exam for free:
Coupon: AISECURITYFORALL

You are not allowed to view links. Register or Login to view.

HackerOne Disclosed Reports - 2026-06-01

Tue, 02 Jun 2026 07:00:04 +0000

High
resolved

page.line.me Open Redirect Leading to OAuth Authorization Code Exposure and Access Token Compromise

Bug reported by Natthakul Raingoen was disclosed at June 2, 2026, 3:30 am |

HackerOne Disclosed Reports - 2026-05-30

Sun, 31 May 2026 07:00:05 +0000

Medium
resolved

Blind POST SSRF via Web Push Notification Endpoint

Bug reported by Miso Poop was disclosed at May 30, 2026, 4:47 pm | Server-Side Request Forgery (SSRF)

A vulnerability was discovered in phpBB 4.0.0-alpha1 that allowed registered users to register arbitrary URLs as their Web Push notification endpoint. The endpoint URL was stored without validation and later used by the phpBB server to send outbound HTTP POST requests, potentially leading to blind POST server-side request forgery (SSRF) vulnerabilities.