A self-custody wallet provider's NFT metadata endpoint made server-side requests to attacker-controlled URLs without scheme, host, or redirect restrictions.
Feb 21, 2026Self-ordering endpoint leaked access tokens. Chained with partner lookup to extract emails, phones, and addresses.
Feb 21, 2026A DeFi trading platform shipped a privileged blockchain RPC gateway key inside its public JavaScript bundle, exposing debug traces, pending transactions, and a transaction relay method to anyone.
Feb 21, 2026A Web3 quests platform's tRPC API exposed user-scoped procedures with no authentication and no object-level checks, letting anyone pull thousands of records of activity history per user by iterating user IDs.
Feb 21, 2026A self-custody wallet provider's user service exposed unauthenticated device CRUD endpoints, allowing attackers to delete a victim's notification devices and replace them with their own.
Feb 21, 2026A P2P trading platform's webhook URL validation followed user-supplied URLs without restrictions, leaking origin egress IP, internal tracing headers, and producing a status-code oracle.
Feb 21, 2026