Reports

100 published reports Critical and High severity All targets anonymized
critical One-click silent ATO across business customers

Wildcard Browser Message Leaks Login Code, Enables Permanent Account Takeover

A wildcard browser message target on a consumer review platform's login popup leaked the authorization code to any cross-origin page, allowing a one-click silent email rebind and permanent business account takeover.

May 19, 2026
WebOAuthAuth Bypass
critical Guess a quote number, get the customer's file

Quote-Number Enumeration Oracle Yields Full Customer PII Across All Sibling Brands

An unauthenticated retrieve-quote endpoint accepted candidate quote numbers and returned full customer PII for valid ones, with no challenge and no rate limit, across five sibling insurance brands.

May 18, 2026
WebAuth BypassEnumeration
critical 26 home records, full card data, in 3 minutes

Mass Extraction of Home-Insurance Customer Records Including Card Data and Bank Details

An auth-bypass flag on a home-insurance retrieve endpoint exposed full customer dossiers including saved card data, mortgagee banks, and direct-debit bank details, with no authentication.

May 17, 2026
WebSensitive Data ExposureAuth Bypass
critical One phone number, full customer dossier

Phone Number Becomes Full Customer File at an Insurance Company

An insurer's message-centre endpoint converted any Australian mobile number into the matching customer's full identifiable record, with no authentication, across five sibling brands.

May 17, 2026
WebPII ExposureEnumeration
high Permanent ATO via genuine reset email

Account Takeover of Any User via Password-Reset Email Injection

A persistent injection into a news site's password-reset email captured the victim's brand-new plaintext password and session cookies the moment they clicked a genuine reset link from the publication itself.

May 15, 2026
WebStored XSSAccount Takeover
critical Worker private key leaked to read-only role

Managed Stream Connector Reads Worker TLS Private Key via Trust-Cert Path

A path field in a managed streaming connector reflected raw worker file contents back through status and logs, leaking the worker TLS private key to read-only project members.

May 15, 2026
Web APILFICloud
critical Five-second paste unlocks every article

Hardcoded Signing Key in Android App Bypasses Paywall for Every Article

A signing key recovered offline from a news publication's Android app let any browser forge a subscriber session token, unlocking every paywalled article with no account and no payment.

May 14, 2026
AndroidHardcoded CredentialsAuth Bypass
critical Claimable scope on production business bundle

Unclaimed Internal Package Scope on a Consumer Review Platform Dashboard

A consumer review platform's business dashboard imported from an unclaimed internal package scope on the public registry, leaving the door open to a supply-chain hijack of every business customer.

May 14, 2026
Supply ChainWebDependency Confusion
critical Tens of thousands of patient records, no login

Unauthenticated Bulk Extraction of Patient Records From a Research Data Portal

Two interactive data-explorer apps on a national clinical-outcomes registry skipped session validation, exposing tens of thousands of patient records with 149 clinical variables to any internet visitor.

May 13, 2026
WebAuth BypassPHI
critical 320 confidential reports read end-to-end

SVG Upload to Bug Bounty Platform Steals Company Manager Session Token

An SVG upload stored verbatim with no content-security policy let a single link click capture a company manager's session token and unlock 320 confidential reports across two programs.

May 13, 2026
WebStored XSSAccount Takeover