A client-controlled reset URL on a cinema chain's loyalty platform was escalated by injecting an invisible image tag into the email template, leaking the real reset token the moment the victim opened the email.
Mar 17, 2026A leftover developer backdoor in a bundled session replay SDK let one link permanently redirect screen recordings to an attacker server, with masking disabled.
Mar 17, 2026Non-atomic refund API allowed gift card balance multiplication. Reproduced 4/4 on production.
Mar 16, 2026A forgotten plaintext example config in a beauty retailer's public cloud storage container exposed production OAuth credentials and a static CAPTCHA bypass header, granting full anonymous API access across three country sites.
Mar 16, 2026A missing role check on an electric scooter rental app's fleet management endpoints let any rider read every active rental, vehicle, and zone configuration across all operating markets, enabling real-time tracking of any user.
Mar 10, 2026Two compounding flaws in a national postal carrier's transit warranty workflow let any anonymous internet user create real cases in the production support system against any tracking number, with no account or authentication required.
Mar 8, 2026Unvalidated deep link parameter loaded attacker page with full transaction signing bridge access.
Mar 5, 2026API key in APK granted access to police check verification. Full name, DOB, address, criminal history downloadable.
Mar 5, 2026An exchange Android app validated its custom-scheme deep link against a domain allowlist but skipped that check on the intent URI path, letting any attacker page load in the WebView and read the auth token through the unrestricted JS bridge.
Mar 5, 2026Unauthenticated database function returned invoices from other organizations including payment links.
Mar 5, 2026