Reports

100 published reports Critical and High severity All targets anonymized
critical Anonymous cross-tenant ATO

Writable Tenant Attribute on Public Sign-Up Lets Anyone Pivot Into Any Customer's Account

A public sign-up flow let an anonymous attacker set the tenant ID attribute on their own new account. The backend trusted that claim, granting full directory access to any customer's tenant from a single self-registered account.

Apr 29, 2026
WebAuthenticationMulti-Tenant
high Permanent team destruction

Cross-Tenant Team Takeover: Guest Admin Evicts the Owner and Destroys the Team

An enterprise SaaS platform let a team admin invited from a different customer remove the team's original creator and permanently delete the team. The owner's senior administrator role provided no override.

Apr 29, 2026
WebPrivilege EscalationMulti-Tenant
critical Mass subscriber lookup

Missing Auth on Chatbot Subscription Endpoint Enables Mass Phone-to-SIM Lookup of National Carrier Subscribers

A national mobile carrier's chatbot backend exposed unauthenticated subscriber lookup endpoints, enabling bidirectional resolution between phone numbers and SIM card identifiers, plus account history, plan status, payment status, and roaming status for the entire customer base.

Apr 25, 2026
WebAuthenticationPII Exposure
critical Live transaction harvesting

Unauth IDOR Leaks Live Prepaid Mobile Plan Purchase Records

A national mobile carrier's prepaid backend issued globally-shared sequential purchase keys with no session binding, letting an unauthenticated attacker poll the live transaction database and harvest thousands of customer purchase records per day.

Apr 25, 2026
WebIDORPII Exposure
high Admin endpoints public

Unauthenticated Operator API Exposes OTP Dispatcher, Data Exports, and Admin Login

A national mobile carrier's customer-facing host exposed an internal operator backend whose security filter chain failed to cover the OTP SMS dispatcher, six data export controllers, and three administrator login endpoints, all reachable unauthenticated from the internet.

Apr 25, 2026
WebAuthenticationData Exposure
critical Substring allowlist bypass

Authentication Bypass in In-App Browser Domain Validator, One-Tap Session-Token Theft and Full Account Takeover

A retail trading broker's Android app validated in-app browser URLs with a substring check, letting any URL that contained the brand domain pass. One tap on a feed link injected the user's session tokens into the attacker's origin and enabled full account takeover.

Apr 24, 2026
AndroidWebViewToken Theft
critical SSO session hijack

Deep-Link ATO in Smart-Home Companion App, Identity Provider Session Hijack on Connected Web Properties

An exported activity in a robot vacuum companion app deserialized an attacker-supplied destination, loaded an attacker URL inside a privileged WebView, and leaked an identity-provider auth code that hijacked the victim's session on connected web properties.

Apr 22, 2026
AndroidDeep LinksAccount Takeover
critical One-tap session JWT theft

Deep Link URL Injection Loads Attacker Page in Bridge WebView, Full Account Takeover

A single-tap deep link on a regulated digital-asset exchange's Android app loaded an attacker page inside a privileged JS bridge, exfiltrating the live session JWT and authenticating the full trading API.

Apr 18, 2026
AndroidDeep LinksJS Bridge
high In-app credential capture

Carrier App AutoVerify + WebView Deep Link Credential Phishing

A national mobile carrier's Android app combined a hardcoded deep link service key, an autoVerify domain handoff, and a custom-scheme WebView with no host check, enabling in-app credential phishing under the carrier's own verified domain.

Apr 17, 2026
AndroidDeep LinksPhishing
high One-tap permit drain

Exchange App DApp Browser Deep Link to One-Tap Permit Drain

A missing host check on a centralized crypto exchange's Android DApp deep link, combined with a stale on-device safety whitelist, enabled a one-tap unlimited ERC-20 permit signature capture and wallet drain.

Apr 17, 2026
AndroidDeep LinksWallet