Reports

100 published reports Critical and High severity All targets anonymized
high One unauthenticated request to full admin takeover

Unauthenticated Stored XSS to Admin Takeover via a Page-Builder Module

An unauthenticated write to a content management system's visual page-design plugin planted a stored cross-site scripting payload that ran as a logged-in administrator, escalating to backoffice takeover and server-side code execution.

Jun 1, 2026
WebStored XSSCMS
critical No login needed, full database control

Leaked Token to Super-Admin Takeover and Production Database Injection

A secret access key left inside a public website chained into unauthenticated super-admin control of the content system and arbitrary SQL injection on the production database.

May 24, 2026
WebAuth BypassSQL Injection
critical Entire subscriber base exposed from one login

Account-Summary IDOR Leaks Every Subscriber's Details

A missing ownership check let any single login at a mobile carrier read the name, phone number, plan and billing details of every subscriber by changing one number in the request.

May 24, 2026
Mobile + APIIDORPII
critical Zero-knowledge to super-admin in two minutes

Unauthenticated CMS Super-Admin Takeover via Private-Field Oracle

A public content API leaked an administrator's private password-reset token one character at a time, enabling a full unauthenticated takeover of a headless CMS that escalated to production SQL injection.

May 23, 2026
WebAuth BypassSQL Injection
high Free accounts minted permanent paid-tier perks

Any Account Mints Permanent Premium Reward Perks for Free

A business-logic flaw let any free account mint permanent, signed reward perk URLs for a paid membership tier, with a self-chosen far-future expiry that survived account deletion and had no rate limit.

May 23, 2026
MobileBusiness LogicBroken Access Control
critical Public share link = full chat history takeover

One Public Share Link Unlocks Full Takeover of Any User's AI Chat History

A public share link on a major news site's AI chat product leaked the owner's internal user id, which then unlocked unauthenticated read, planting, and deletion of every conversation that user ever had, including chats that were never shared.

May 22, 2026
WebAuth BypassIDOR
critical Any tenant decrypts any other tenant's secrets

Cross-Tenant KMS Decryption Oracle Recovers Any Customer's Production Secrets

An enterprise identity service exposed encrypt and decrypt endpoints to every tenant under one shared master key with no context binding, letting any customer recover any other customer's live API credentials.

May 20, 2026
Web APICross-TenantKMS
high Cross-session write into any customer's quote

Anonymous Visitor Can Silently Modify Any Customer's Insurance Quote

An insurer's quote-store endpoint accepted writes against any customer's identifier with no ownership check, letting any anonymous visitor silently poison any in-flight quote across five sibling brands.

May 20, 2026
WebIDORAuth Bypass
high Cross-tenant read + write on shared corpus

GraphQL Auth Bypass on Observability Platform Allows Cross-Tenant Read and Write

Three GraphQL resolvers on a feature-flag and observability platform were missing authentication, exposing 15,915 cross-tenant records and accepting persistent writes from any unauthenticated caller.

May 20, 2026
GraphQLAuth BypassMulti-Tenant
critical Anonymous SQLi on hundreds of production tables

Unauthenticated SQL Injection Reads Every Customer Across All Sibling Insurance Brands

A retrieve-quote API was vulnerable to error-based SQL injection on the insurer's production database, exposing hundreds of tables across all sibling brands to unauthenticated reads.

May 19, 2026
WebSQL InjectionAuth Bypass