Reports

100 published reports Critical and High severity All targets anonymized
high Persistent first-party XSS

Presigned Upload Content-Type Bypass to Stored XSS on First-Party CDN

An attacker-controlled Content-Type field on a presigned upload mutation enabled stored XSS served from a creator/link-in-bio platform's first-party user-generated-content CDN with valid TLS.

Apr 17, 2026
WebXSSGraphQL
high Stranger's gift card in 18s

GraphQL Gift Card PIN Enumeration with No Rate Limiting

A missing rate limit on a GraphQL gift card redemption mutation, combined with sequential PIN issuance, enabled enumeration and instant theft of other customers' gift cards on a fashion e-commerce platform.

Apr 16, 2026
GraphQLBusiness Logic
critical TLS private key recoverable

Hardcoded AES Key + Firebase Config Leak Production TLS Private Key

A hardcoded AES key in a geolocation compliance app, combined with an unauthenticated Firebase Remote Config endpoint, exposed the production RSA private key for the SDK's TLS server.

Apr 14, 2026
AndroidHardcoded SecretsCryptography
critical Permanent API access

Silent API Key Exfiltration via Exposed Deep Link and WebView Bridge in Android Wallet

One tap on a crafted link silently leaked the wallet app's backend API signing key via an unfiltered WebView bridge. Persistent authenticated access to wallet data across 14 chains.

Apr 10, 2026
AndroidDeep LinksJS Bridge
critical One-tap session theft

Exported Home Activity Cookie Injection to Session Token Theft

An exported Android launcher activity, an attacker-controlled deep link extra, and an unguarded cookie write enabled one-tap session token theft on a major US department store retailer's app.

Apr 9, 2026
AndroidDeep LinksToken Theft
high In-app phishing chain

Carrier App Open Redirect + Exposed Deep Link Key Enables In-App Phishing

A hardcoded deep link service key, an unvalidated WebView article handler, and an unauthenticated open redirect on a national mobile carrier's own domain combined to render attacker-controlled login pages inside the official app's chrome with no URL bar.

Apr 9, 2026
AndroidDeep LinksPhishing
critical Zero-click session theft

Stored XSS via SVG Upload on Bug Bounty Platform, Zero-Click Session Theft

A server that accepted SVG uploads via its API despite its own UI rejecting them allowed a JavaScript-bearing SVG to be embedded in any report description and silently exfiltrate session data from every viewer, including triage and program managers.

Apr 7, 2026
WebXSSToken Theft
high Permanent fund loss

uint64 Overflow in Cross-Chain Bridge Silently Destroys Solana Withdrawals

An unsafe downcast silently truncated withdrawal amounts. Any user withdrawing more than ~18 tokens would permanently lose most of their funds with no revert and no recovery path.

Apr 3, 2026
Smart ContractSolidityDeFi
critical Cloud credential theft

File Upload SSRF Exfiltrates Live AWS Credentials from Retail SaaS Production

A digital file upload endpoint fetched any attacker URL server-side and stored the response. Live AWS temporary credentials pulled from production EC2.

Apr 1, 2026
WebSSRFCloud
critical Mass account lockout

Hardcoded API Key in Smart Home App, Account Creation, S3 Takeover, and Mass Lockout

A hardcoded API key inside a smart home camera platform's Android app unlocked unauthenticated account creation, full read-write-delete access to a production storage bucket, mass account lockout, and password-reset email triggering against the entire customer base.

Mar 31, 2026
AndroidHardcoded SecretsCloud