Reports

100 published reports Critical and High severity All targets anonymized
high One-tap link to full account takeover

In-App Phishing via Deep-Link SDK Lands Account Takeover on an Events Marketplace

A leaked deep-link key plus an open in-app WebView let an attacker render a fake confirmation page inside the genuine app, trigger a real verification email, and capture the code for full account takeover.

May 12, 2026
AndroidiOSDeep Links
high 316 cross-tenant invoices from one fresh account

Cross-Partner Invoice Read Exposes Years of Financial Records on an Events Marketplace

A self-service signup form plus a broken-authorization invoice API leaked 316 invoice PDFs across 9 unrelated business partners in 6 countries, with records going back to 2017.

May 12, 2026
Web APIIDORAuthorization
critical Real paid orders on ~70% of probed partners

Unauthenticated Privilege Escalation Mints Paid Orders on Partner Books

An unauthenticated B2B signup endpoint on a live-experiences marketplace let any stranger become a manager inside any partner organisation and create real paid orders that were billed to the partner.

May 11, 2026
Web APIAccess ControlPrivilege Escalation
critical Supply-chain hijack reaches checkout, kiosks, CI

Unclaimed npm Scope on Live Payment Bundle and Venue Kiosks

A leaked package manifest on an events marketplace exposed an unclaimed internal scope and wildcard package names reachable from live payment-card collection code, physical venue kiosks, and the build pipeline.

May 8, 2026
Supply ChainWebDependency Confusion
critical ~22,000 clonable live tickets exportable unauth

Unauthenticated Staging Assistant Leaks 3M Production Ticket Barcodes

An internal analytics assistant API on a staging host was missing authentication while holding production data, exposing 3.3M ticket records and signed download URLs for live future events.

May 8, 2026
Web APIAuth BypassData Exposure
critical Full-database identity leak via one PATCH

Investor Account IDOR Leaks Any User's Identity Record on a Wealth Platform

An authorization check was missing on one sub-path of a wealth platform's investor account API, letting any logged-in user read another user's full identity record and corrupt the victim's display name.

May 8, 2026
WebIDORPII
critical 132 clients' PII exposed

Auth Bypass + IDOR on a Financial Advice Platform Exposes 132 Clients' PII to Any Free Account

A financial advice and superannuation platform's policy disabled customer self-registration, but the backend issued a Client-role session anyway. Two unauthorized data endpoints exposed 615 fact-find records and full client profiles.

May 5, 2026
WebAuthenticationPII Exposure
high Cross-tenant API credential theft

Cross-Tenant Credential Disclosure: Iterable IDs Link Another Customer's API Secrets to Your Account

A chatbot integration accepted another tenant's authorization-object ID with no ownership check. Posting three small numbers exposed cleartext-equivalent Authorization headers for another customer's basic, bearer, and OAuth credentials.

May 1, 2026
WebIDORMulti-Tenant
critical Cloud metadata reachable

Authenticated SSRF Reaches Cloud Metadata Service via DNS Rebinding, Full Response Disclosed

An enterprise SaaS chatbot integration accepted attacker-supplied destination URLs and echoed the upstream response back. DNS rebinding bypassed the IP allow-list and reached the cloud metadata service.

Apr 29, 2026
WebSSRFCloud
critical Cross-tenant secret disclosure

Cross-Tenant Decryption on Shared Master Key: Any Tenant Reads Any Other Tenant's Secrets

An enterprise SaaS platform exposed encrypt and decrypt API endpoints to every authenticated tenant with no role guard and a single global key, letting any customer decrypt any other customer's stored secrets byte-for-byte.

Apr 29, 2026
WebCryptographyMulti-Tenant