<![CDATA[Dark C0d3rs - All Forums]]> https://darkcoders.wiki/ Sat, 09 May 2026 11:03:37 +0000 MyBB <![CDATA[HackerOne Disclosed Reports - 2026-05-08]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-08 Sat, 09 May 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-08
Logo
Low
resolved

Private circle can be added to another circle via API despite visibility restriction


Bug reported by Dang Hung Vi was disclosed at May 8, 2026, 12:55 pm   |   Insecure Direct Object Reference (IDOR)

A vulnerability was discovered where private circles could be added to other circles via the API, despite visibility restrictions.


Logo
Low
resolved

Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner


Bug reported by 0x0.eth was disclosed at May 8, 2026, 11:08 am   |   Insecure Direct Object Reference (IDOR)

Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner.


Logo
Low
resolved

View-only guests could see deleted Collectives pages in the trashbin


Bug reported by _dha was disclosed at May 8, 2026, 8:35 am   |   Improper Access Control - Generic

A vulnerability was discovered where view-only guests could see deleted Collectives pages in the trashbin.


]]>
Logo
Low
resolved

Private circle can be added to another circle via API despite visibility restriction


Bug reported by Dang Hung Vi was disclosed at May 8, 2026, 12:55 pm   |   Insecure Direct Object Reference (IDOR)

A vulnerability was discovered where private circles could be added to other circles via the API, despite visibility restrictions.


Logo
Low
resolved

Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner


Bug reported by 0x0.eth was disclosed at May 8, 2026, 11:08 am   |   Insecure Direct Object Reference (IDOR)

Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner.


Logo
Low
resolved

View-only guests could see deleted Collectives pages in the trashbin


Bug reported by _dha was disclosed at May 8, 2026, 8:35 am   |   Improper Access Control - Generic

A vulnerability was discovered where view-only guests could see deleted Collectives pages in the trashbin.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-05-07]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-07 Fri, 08 May 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-07
Logo
Medium
resolved

ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection


Bug reported by kim siwong was disclosed at May 7, 2026, 2:04 pm   |   Path Traversal

A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation of the blob key parameter before constructing file paths. This could be exploited by an attacker who could influence the hash passed to the `.attach()` method.


]]>
Logo
Medium
resolved

ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection


Bug reported by kim siwong was disclosed at May 7, 2026, 2:04 pm   |   Path Traversal

A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation of the blob key parameter before constructing file paths. This could be exploited by an attacker who could influence the hash passed to the `.attach()` method.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-05-06]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-06 Thu, 07 May 2026 07:00:06 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-06
Logo
Critical
resolved

Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis


Bug reported by rorkh was disclosed at May 6, 2026, 5:13 pm   |   Uncontrolled Resource Consumption

A deadlock vulnerability was discovered in the Monero JSON-RPC interface that allowed a remote, unauthenticated attacker to completely paralyze any Monero node with a single HTTP request containing specific batch methods, leading to permanent denial of service. The vulnerability affected all releases of Monero up to version 0.18.4.2 and likely previous versions, across all operating systems. The vulnerability was rated as critical, with a CVSS 3.0 score of 10.0.


]]>
Logo
Critical
resolved

Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis


Bug reported by rorkh was disclosed at May 6, 2026, 5:13 pm   |   Uncontrolled Resource Consumption

A deadlock vulnerability was discovered in the Monero JSON-RPC interface that allowed a remote, unauthenticated attacker to completely paralyze any Monero node with a single HTTP request containing specific batch methods, leading to permanent denial of service. The vulnerability affected all releases of Monero up to version 0.18.4.2 and likely previous versions, across all operating systems. The vulnerability was rated as critical, with a CVSS 3.0 score of 10.0.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-05-05]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-05 Wed, 06 May 2026 07:00:05 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-05
Logo
Low
resolved

Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption


Bug reported by was disclosed at May 5, 2026, 3:07 pm   |  

A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST (Enterprise). The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation. This allowed extremely large payloads in the password field to be buffered and parsed prior to rejection, resulting in unnecessary resource consumption. The application fully processed the requests before applying validation, violating the fail-fast principle.


]]>
Logo
Low
resolved

Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption


Bug reported by was disclosed at May 5, 2026, 3:07 pm   |  

A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST (Enterprise). The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation. This allowed extremely large payloads in the password field to be buffered and parsed prior to rejection, resulting in unnecessary resource consumption. The application fully processed the requests before applying validation, violating the fail-fast principle.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-05-01]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-01 Sat, 02 May 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-05-01
Logo
High
resolved

Double fdrop on a socket through sys_netcontrol


Bug reported by SlidyBat was disclosed at May 1, 2026, 1:41 am   |   Double Free

The netcontrol syscall in the kernel had a vulnerability where the socket file descriptor was not properly validated when removing a socket from a netevent structure. This allowed an attacker to cause a double fdrop on a socket, potentially leading to a use-after-free condition.


]]>
Logo
High
resolved

Double fdrop on a socket through sys_netcontrol


Bug reported by SlidyBat was disclosed at May 1, 2026, 1:41 am   |   Double Free

The netcontrol syscall in the kernel had a vulnerability where the socket file descriptor was not properly validated when removing a socket from a netevent structure. This allowed an attacker to cause a double fdrop on a socket, potentially leading to a use-after-free condition.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-30]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-30 Fri, 01 May 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-30
Logo
High
resolved

Double fdrop on a socket through sys_netcontrol


Bug reported by SlidyBat was disclosed at May 1, 2026, 1:41 am   |   Double Free

The netcontrol syscall in the kernel had a vulnerability where the socket file descriptor was not properly validated when removing a socket from a netevent structure. This allowed an attacker to cause a double fdrop on a socket, potentially leading to a use-after-free condition.


]]>
Logo
High
resolved

Double fdrop on a socket through sys_netcontrol


Bug reported by SlidyBat was disclosed at May 1, 2026, 1:41 am   |   Double Free

The netcontrol syscall in the kernel had a vulnerability where the socket file descriptor was not properly validated when removing a socket from a netevent structure. This allowed an attacker to cause a double fdrop on a socket, potentially leading to a use-after-free condition.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-29]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-29 Thu, 30 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-29
Logo
Medium
resolved

CVE-2026-7168: cross-proxy Digest auth state leak


Bug reported by kilua was disclosed at April 29, 2026, 7:15 am   |   Exposure of Data Element to Wrong Session


Logo
Medium
resolved

CVE-2026-7009: OCSP stapling bypass with Apple SecTrust


Bug reported by Carlos Carrillo Boj was disclosed at April 29, 2026, 7:15 am   |   Improper Certificate Validation


Logo
Medium
resolved

CVE-2026-6253: proxy credentials leak over redirect-to proxy


Bug reported by Dwij Mehta was disclosed at April 29, 2026, 7:15 am   |  


Logo
Medium
resolved

CVE-2026-5545: wrong reuse of HTTP Negotiate connection


Bug reported by quaccws was disclosed at April 29, 2026, 7:15 am   |   Authentication Bypass by Primary Weakness


Logo
Low
resolved

CVE-2026-6276: stale custom cookie host causes cookie leak


Bug reported by areksa was disclosed at April 29, 2026, 7:14 am   |   Exposure of Data Element to Wrong Session


Logo
Medium
resolved

CVE-2026-6429: netrc credential leak with reused proxy connection


Bug reported by pesudonmy was disclosed at April 29, 2026, 7:14 am   |   Information Exposure Through Sent Data


Logo
Low
resolved

CVE-2026-4873: connection reuse ignores TLS requirement


Bug reported by Arkadi Vainbrand was disclosed at April 29, 2026, 6:47 am   |   Cleartext Transmission of Sensitive Information

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPT_USE_SSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:// protocols. The vulnerability could allow a later TLS-required mail transfer to be sent over a previously established plaintext connection, contrary to expectation.


Logo
Low
resolved

CVE-2026-5773: wrong reuse of SMB connection


Bug reported by Osama Hamad was disclosed at April 29, 2026, 6:11 am   |  

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of verification of the target share name when reusing an existing connection. As a result, the application could silently fetch data from an unintended share.


Logo
Medium
resolved

PS4 BD-J privilege escalation using nested JAR


Bug reported by was disclosed at April 29, 2026, 5:09 am   |   Privilege Escalation

A PS4 vulnerability was discovered in the Blu-ray Disc Java (BD-J) privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path canonicalization and the actual class loading path. The security policy granted AllPermission to code that appeared to be loaded from a trusted directory, while the actual code was loaded from an untrusted nested JAR on the Blu-ray disc. This resulted in a Time-of-Check/Time-of-Use (TOCTOU) vulnerability that allowed untrusted code to obtain AllPermission.


]]>
Logo
Medium
resolved

CVE-2026-7168: cross-proxy Digest auth state leak


Bug reported by kilua was disclosed at April 29, 2026, 7:15 am   |   Exposure of Data Element to Wrong Session


Logo
Medium
resolved

CVE-2026-7009: OCSP stapling bypass with Apple SecTrust


Bug reported by Carlos Carrillo Boj was disclosed at April 29, 2026, 7:15 am   |   Improper Certificate Validation


Logo
Medium
resolved

CVE-2026-6253: proxy credentials leak over redirect-to proxy


Bug reported by Dwij Mehta was disclosed at April 29, 2026, 7:15 am   |  


Logo
Medium
resolved

CVE-2026-5545: wrong reuse of HTTP Negotiate connection


Bug reported by quaccws was disclosed at April 29, 2026, 7:15 am   |   Authentication Bypass by Primary Weakness


Logo
Low
resolved

CVE-2026-6276: stale custom cookie host causes cookie leak


Bug reported by areksa was disclosed at April 29, 2026, 7:14 am   |   Exposure of Data Element to Wrong Session


Logo
Medium
resolved

CVE-2026-6429: netrc credential leak with reused proxy connection


Bug reported by pesudonmy was disclosed at April 29, 2026, 7:14 am   |   Information Exposure Through Sent Data


Logo
Low
resolved

CVE-2026-4873: connection reuse ignores TLS requirement


Bug reported by Arkadi Vainbrand was disclosed at April 29, 2026, 6:47 am   |   Cleartext Transmission of Sensitive Information

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPT_USE_SSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:// protocols. The vulnerability could allow a later TLS-required mail transfer to be sent over a previously established plaintext connection, contrary to expectation.


Logo
Low
resolved

CVE-2026-5773: wrong reuse of SMB connection


Bug reported by Osama Hamad was disclosed at April 29, 2026, 6:11 am   |  

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of verification of the target share name when reusing an existing connection. As a result, the application could silently fetch data from an unintended share.


Logo
Medium
resolved

PS4 BD-J privilege escalation using nested JAR


Bug reported by was disclosed at April 29, 2026, 5:09 am   |   Privilege Escalation

A PS4 vulnerability was discovered in the Blu-ray Disc Java (BD-J) privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path canonicalization and the actual class loading path. The security policy granted AllPermission to code that appeared to be loaded from a trusted directory, while the actual code was loaded from an untrusted nested JAR on the Blu-ray disc. This resulted in a Time-of-Check/Time-of-Use (TOCTOU) vulnerability that allowed untrusted code to obtain AllPermission.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-28]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-28 Wed, 29 Apr 2026 07:00:03 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-28
Logo
Low
resolved

CVE-2026-4873: connection reuse ignores TLS requirement


Bug reported by Arkadi Vainbrand was disclosed at April 29, 2026, 6:47 am   |   Cleartext Transmission of Sensitive Information

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPT_USE_SSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:// protocols. The vulnerability could allow a later TLS-required mail transfer to be sent over a previously established plaintext connection, contrary to expectation.


Logo
Low
resolved

CVE-2026-5773: wrong reuse of SMB connection


Bug reported by Osama Hamad was disclosed at April 29, 2026, 6:11 am   |  

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of verification of the target share name when reusing an existing connection. As a result, the application could silently fetch data from an unintended share.


Logo
Medium
resolved

PS4 BD-J privilege escalation using nested JAR


Bug reported by was disclosed at April 29, 2026, 5:09 am   |   Privilege Escalation

A PS4 vulnerability was discovered in the Blu-ray Disc Java (BD-J) privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path canonicalization and the actual class loading path. The security policy granted AllPermission to code that appeared to be loaded from a trusted directory, while the actual code was loaded from an untrusted nested JAR on the Blu-ray disc. This resulted in a Time-of-Check/Time-of-Use (TOCTOU) vulnerability that allowed untrusted code to obtain AllPermission.


]]>
Logo
Low
resolved

CVE-2026-4873: connection reuse ignores TLS requirement


Bug reported by Arkadi Vainbrand was disclosed at April 29, 2026, 6:47 am   |   Cleartext Transmission of Sensitive Information

A vulnerability was discovered in libcurl's connection reuse for cleartext-upgrade mail protocols. The vulnerability was that the later transfer's CURLOPT_USE_SSL option was not properly included if a plaintext connection was already open and reusable. This affected the smtp://, pop3://, and imap:// protocols. The vulnerability could allow a later TLS-required mail transfer to be sent over a previously established plaintext connection, contrary to expectation.


Logo
Low
resolved

CVE-2026-5773: wrong reuse of SMB connection


Bug reported by Osama Hamad was disclosed at April 29, 2026, 6:11 am   |  

A vulnerability was discovered in curl version 8.19.0 and earlier versions that support SMB. The vulnerability was due to the incorrect reuse of SMB connections across different shares on the same server. This led to data spoofing and access control bypass. The issue was caused by the lack of verification of the target share name when reusing an existing connection. As a result, the application could silently fetch data from an unintended share.


Logo
Medium
resolved

PS4 BD-J privilege escalation using nested JAR


Bug reported by was disclosed at April 29, 2026, 5:09 am   |   Privilege Escalation

A PS4 vulnerability was discovered in the Blu-ray Disc Java (BD-J) privilege escalation using nested JAR files. The vulnerability was found in the PS4 system software versions 13.00 to the latest version 13.02. The vulnerability was caused by a discrepancy between the security policy's path canonicalization and the actual class loading path. The security policy granted AllPermission to code that appeared to be loaded from a trusted directory, while the actual code was loaded from an untrusted nested JAR on the Blu-ray disc. This resulted in a Time-of-Check/Time-of-Use (TOCTOU) vulnerability that allowed untrusted code to obtain AllPermission.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-27]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-27 Tue, 28 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-27
Logo
High
resolved

IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.


Bug reported by Jh0n was disclosed at April 27, 2026, 1:29 pm   |   Information Disclosure

The IBM Aspera HTTP Gateway stored sensitive information in clear text in easily obtainable files, which could be read by an unauthenticated user. The issue was submitted to IBM, analyzed, and remediated.


Logo
Low
resolved

Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org


Bug reported by Aman Bhuiyan was disclosed at April 27, 2026, 9:43 am   |   Improper Input Validation

A restricted keyword bypass vulnerability was discovered on the Firefox Add-ons platform that allowed an attacker to register a display name visually identical to "Mozilla" by using a Unicode homoglyph character. This circumvented the intended restriction and could have been used to impersonate official accounts.


Logo
Low
resolved

Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net


Bug reported by Aaqib Hussain was disclosed at April 27, 2026, 4:00 am   |   Improper Access Control - Generic

A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST request. Additionally, the lack of rate limiting or duplicate request validation allowed attackers to spam users by repeatedly sending the same or modified requests.


Logo
High
resolved

Non-premium user can disable Ads in japanese version of dic.pixiv.net


Bug reported by Luis G. Moret Hernandez was disclosed at April 27, 2026, 3:58 am   |   Business Logic Errors

A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify their ad display preferences without verification of premium status.


]]>
Logo
High
resolved

IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.


Bug reported by Jh0n was disclosed at April 27, 2026, 1:29 pm   |   Information Disclosure

The IBM Aspera HTTP Gateway stored sensitive information in clear text in easily obtainable files, which could be read by an unauthenticated user. The issue was submitted to IBM, analyzed, and remediated.


Logo
Low
resolved

Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org


Bug reported by Aman Bhuiyan was disclosed at April 27, 2026, 9:43 am   |   Improper Input Validation

A restricted keyword bypass vulnerability was discovered on the Firefox Add-ons platform that allowed an attacker to register a display name visually identical to "Mozilla" by using a Unicode homoglyph character. This circumvented the intended restriction and could have been used to impersonate official accounts.


Logo
Low
resolved

Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net


Bug reported by Aaqib Hussain was disclosed at April 27, 2026, 4:00 am   |   Improper Access Control - Generic

A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST request. Additionally, the lack of rate limiting or duplicate request validation allowed attackers to spam users by repeatedly sending the same or modified requests.


Logo
High
resolved

Non-premium user can disable Ads in japanese version of dic.pixiv.net


Bug reported by Luis G. Moret Hernandez was disclosed at April 27, 2026, 3:58 am   |   Business Logic Errors

A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify their ad display preferences without verification of premium status.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-26]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-26 Mon, 27 Apr 2026 07:00:03 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-26
Logo
Low
resolved

Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net


Bug reported by Aaqib Hussain was disclosed at April 27, 2026, 4:00 am   |   Improper Access Control - Generic

A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST request. Additionally, the lack of rate limiting or duplicate request validation allowed attackers to spam users by repeatedly sending the same or modified requests.


Logo
High
resolved

Non-premium user can disable Ads in japanese version of dic.pixiv.net


Bug reported by Luis G. Moret Hernandez was disclosed at April 27, 2026, 3:58 am   |   Business Logic Errors

A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify their ad display preferences without verification of premium status.


]]>
Logo
Low
resolved

Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net


Bug reported by Aaqib Hussain was disclosed at April 27, 2026, 4:00 am   |   Improper Access Control - Generic

A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST request. Additionally, the lack of rate limiting or duplicate request validation allowed attackers to spam users by repeatedly sending the same or modified requests.


Logo
High
resolved

Non-premium user can disable Ads in japanese version of dic.pixiv.net


Bug reported by Luis G. Moret Hernandez was disclosed at April 27, 2026, 3:58 am   |   Business Logic Errors

A vulnerability was identified in the Japanese version of the pixiv dictionary website where non-premium users could disable advertisements. Normally, the ability to disable ads was restricted to premium users only. However, due to improper access control, any authenticated user could modify their ad display preferences without verification of premium status.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-23]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-23 Fri, 24 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-23
Logo
High
resolved

Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS


Bug reported by mbarbs was disclosed at April 23, 2026, 10:21 pm   |  

A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could lead to a Remote Denial of Service when an SNICallback threw synchronously on unexpected input, causing the exception to bypass TLS error handlers and propagate as an uncaught exception, crashing the Node.js process.


Logo
Medium
resolved

RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs


Bug reported by Arccode was disclosed at April 23, 2026, 9:45 am   |   Improper Access Control - Generic


]]>
Logo
High
resolved

Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS


Bug reported by mbarbs was disclosed at April 23, 2026, 10:21 pm   |  

A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could lead to a Remote Denial of Service when an SNICallback threw synchronously on unexpected input, causing the exception to bypass TLS error handlers and propagate as an uncaught exception, crashing the Node.js process.


Logo
Medium
resolved

RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs


Bug reported by Arccode was disclosed at April 23, 2026, 9:45 am   |   Improper Access Control - Generic


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-22]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-22 Thu, 23 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-22
Logo
Critical
resolved

Complete authentication bypass to admin permissions


Bug reported by Nicholas Carlini was disclosed at April 22, 2026, 9:01 am   |   SQL Injection


]]>
Logo
Critical
resolved

Complete authentication bypass to admin permissions


Bug reported by Nicholas Carlini was disclosed at April 22, 2026, 9:01 am   |   SQL Injection


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-20]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-20 Tue, 21 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-20
Logo
Medium
resolved

SVG filter primitives bypass remote image blocking, enabling email tracking without consent.


Bug reported by _NULL was disclosed at April 20, 2026, 12:57 pm   |   Privacy Violation

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail application. The sanitizer did not properly handle the `` SVG filter primitive, allowing external resources to be loaded even when the "Block remote images" setting was enabled. This vulnerability could be used to track email opens and obtain the recipient's IP address without the user's consent.


Logo
Medium
resolved

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.


Bug reported by _NULL was disclosed at April 20, 2026, 12:04 pm   |   Resource Injection

A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation of full-viewport phishing overlays.


Logo
Medium
resolved

Unquoted body background attribute enables CSS injection that bypasses remote image blocking


Bug reported by _NULL was disclosed at April 20, 2026, 12:03 pm   |   Resource Injection

A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the `allow_remote` option was set to `false`. The sanitizer failed to quote the value of the `background` attribute from the email's `` element, allowing a crafted `data:` URI to terminate the `url()` function and inject arbitrary CSS properties. This bypass allowed external resources to be loaded even when remote image blocking was enabled.


Logo
Medium
resolved

SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent


Bug reported by _NULL was disclosed at April 20, 2026, 12:03 pm   |   Remote File Inclusion

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email tracking without the user's consent.


]]>
Logo
Medium
resolved

SVG filter primitives bypass remote image blocking, enabling email tracking without consent.


Bug reported by _NULL was disclosed at April 20, 2026, 12:57 pm   |   Privacy Violation

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail application. The sanitizer did not properly handle the `` SVG filter primitive, allowing external resources to be loaded even when the "Block remote images" setting was enabled. This vulnerability could be used to track email opens and obtain the recipient's IP address without the user's consent.


Logo
Medium
resolved

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.


Bug reported by _NULL was disclosed at April 20, 2026, 12:04 pm   |   Resource Injection

A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation of full-viewport phishing overlays.


Logo
Medium
resolved

Unquoted body background attribute enables CSS injection that bypasses remote image blocking


Bug reported by _NULL was disclosed at April 20, 2026, 12:03 pm   |   Resource Injection

A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the `allow_remote` option was set to `false`. The sanitizer failed to quote the value of the `background` attribute from the email's `` element, allowing a crafted `data:` URI to terminate the `url()` function and inject arbitrary CSS properties. This bypass allowed external resources to be loaded even when remote image blocking was enabled.


Logo
Medium
resolved

SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent


Bug reported by _NULL was disclosed at April 20, 2026, 12:03 pm   |   Remote File Inclusion

A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email tracking without the user's consent.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-19]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-19 Mon, 20 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-19
Logo
Medium
resolved

Stored XSS in attachment-display exploitable through SameSite


Bug reported by Aikido Security was disclosed at April 19, 2026, 9:14 am   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content Security Policy in the attachment display flow, unlike the general attachment viewer.


]]>
Logo
Medium
resolved

Stored XSS in attachment-display exploitable through SameSite


Bug reported by Aikido Security was disclosed at April 19, 2026, 9:14 am   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content Security Policy in the attachment display flow, unlike the general attachment viewer.


]]> <![CDATA[HackerOne Disclosed Reports - 2026-04-18]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-18 Sun, 19 Apr 2026 07:00:04 +0000 hashXploiter]]> https://darkcoders.wiki/Thread-HackerOne-Disclosed-Reports-2026-04-18
Logo
Low
resolved

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split j‌avascript: URLs


Bug reported by smlee was disclosed at April 18, 2026, 3:27 pm   |  

A vulnerability was discovered in the `Rails::HTML::Sanitizer.allowed_uri?` method of the `rails-html-sanitizer` library. The method incorrectly returned `true` for entity-encoded control-character-split `j‌avascript:` URLs, which could lead to potential security issues if the application relied on the method's result to make security decisions.


]]>
Logo
Low
resolved

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split j‌avascript: URLs


Bug reported by smlee was disclosed at April 18, 2026, 3:27 pm   |  

A vulnerability was discovered in the `Rails::HTML::Sanitizer.allowed_uri?` method of the `rails-html-sanitizer` library. The method incorrectly returned `true` for entity-encoded control-character-split `j‌avascript:` URLs, which could lead to potential security issues if the application relied on the method's result to make security decisions.


]]>