Reports

100 published reports Critical and High severity All targets anonymized
high Forged green checks on contract code

CI Supply Chain: Unverified Installer Pipe and Mutable Action Tag Enable Test Result Forgery

A Layer 1 blockchain naming service used a curl-pipe-to-python installer and a tag-pinned checkout action in its smart contract test workflow, enabling CI runner code execution and forged test results on contract changes.

Feb 21, 2026
Supply ChainSmart ContractMisconfiguration
high Internal admin endpoints public

Feature Toggle Service Exposes Internal Admin Endpoints to the Public Internet

A DeFi aggregator's portal exposed its feature toggle service's internal admin endpoints with no authentication, leaking 116 flags, the production token inventory, privileged staff IDs, and the compliance country list, with leaked IDs usable to unlock hidden features and flip payment routing.

Feb 21, 2026
WebMisconfigurationData Exposure
high Compliance bypass via spoofed header

Forwarded Header Trust Bypasses Country and Restricted-Asset Compliance Checks

A cryptocurrency exchange decided sanctioned-country and country-specific asset restrictions based on a client-supplied forwarding header, allowing any unauthenticated visitor to flip the compliance decision with one line.

Feb 21, 2026
WebBusiness LogicAuthentication
high Live exchange creds in public code

Production API Credentials Hardcoded in Public Sample Code

A crypto exchange shipped working production API credentials inside a public sample script, granting private account read access and trading write actions.

Feb 21, 2026
WebHardcoded SecretsAuthentication
high Unauth SSRF with redirect bypass

Unauthenticated Server Request Forgery via NFT Metadata

A self-custody wallet provider's NFT metadata endpoint made server-side requests to attacker-controlled URLs without scheme, host, or redirect restrictions.

Feb 21, 2026
WebSSRFWallet
high PII extraction

Pre-Auth POS Token Disclosure and Partner IDOR Exposes Customer PII

Self-ordering endpoint leaked access tokens. Chained with partner lookup to extract emails, phones, and addresses.

Feb 21, 2026
WebIDORPII Exposure
high Privileged RPC access from public JS

Hardcoded RPC Gateway Key in Public JavaScript Bundle Exposes Debug Traces and Pending Transactions

A DeFi trading platform shipped a privileged blockchain RPC gateway key inside its public JavaScript bundle, exposing debug traces, pending transactions, and a transaction relay method to anyone.

Feb 21, 2026
WebHardcoded SecretsData Exposure
high Bulk cross-user data scraping

Unauthenticated BOLA in tRPC API Allows Bulk Cross-User Receipt Extraction

A Web3 quests platform's tRPC API exposed user-scoped procedures with no authentication and no object-level checks, letting anyone pull thousands of records of activity history per user by iterating user IDs.

Feb 21, 2026
WebIDORAccess Control
high Push notification hijack

Unauthenticated User Service Enables Push Notification Takeover

A self-custody wallet provider's user service exposed unauthenticated device CRUD endpoints, allowing attackers to delete a victim's notification devices and replace them with their own.

Feb 21, 2026
WebBOLAAccess Control
high Internal network mapping

Webhook Validator Becomes Blind Server Request Forgery Oracle

A P2P trading platform's webhook URL validation followed user-supplied URLs without restrictions, leaking origin egress IP, internal tracing headers, and producing a status-code oracle.

Feb 21, 2026
WebSSRFData Exposure