Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
8067 total disclosed
$5,844,177 total publicly paid out
Recently Disclosed
- $1000 HTML Injection in Swing can disclose netNTLM hash or cause DoS
- No bounty Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co
- No bounty [█████████] Reflected Cross-Site Scripting Vulnerability
- No bounty CVE-2019-11248 on alertmanager.ev-cloud-platform.engelvoelkers.com
- $50 Web cache poisoning at www.acronis.com
- $1000 Blind XSS on image upload
- $50 Subdomain Takeover – jet.acronis.com pointing to unclaimed Webflow services
- $2500 Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID
- $2000 SQL Injection in www.hyperpure.com
- No bounty Broken Link on Ping Identity's Vulnerability Submission Form on Hackerone
- No bounty CCC H1 June 2021 CTF Writeup
- $100 100K CTF's Writeup
- $2000 Unrestricted File Upload Results in Cross-Site Scripting Attacks
- $7700 Read-only application can publish/delete fleets
- $3000 Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state
- No bounty Remote Code Execution through "Files_antivirus" plugin
- $100 Session fixation on public talk links
- No bounty F5 BIG-IP Cookie potentially reveal BigIP pool name, backend's IP address and port, routed domain.
- $100 account impersonate through broken link
- $4500 Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system.
- $3000 XSS in request approvals
- No bounty XMLRPC, Enabling XPSA and Bruteforce and DOS + A file disclosing installer-logs.
- $750 private passenger information is exposed to the Uber Driver app during ride dispatch ("Ping") events
- $3000 Ability To Delete User(s) Account Without User Interaction
- No bounty XXE on www.publish.engelvoelkers.com
- $50 Subdomain Takeover – www.jet.acronis.com pointing to unclaimed Webflow services
- $2123 Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled
- $2500 Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos
- $2000 IDOR leads to leak analytics of any restaurant
- $100 HackerOne’s 100K CTF Writeup
- $1000 [VK Android] Access to app protected components leads to arbitrary code execution
- $100 ccc ctf
- $3500 Blind SQL injection on [city-mobil.ru/taxiserv/] in filter{"id_locality"}
- No bounty Default Admin Username and Password on █████ Server at █████████mil
- $50 rXSS on https://mackeeperapp.mackeeper.com/landings/download-blue/
- $50 xmlrpc.php is publicly available at https://stories.showmax.com/xmlrpc.php
- $5600 Kroki Arbitrary File Read/Write
- No bounty Information disclosure via Spring Boot Actuators on gonext-stage.engelvoelkers.com
- $1000 [com.icq.mobile.client] Любое стороннее приложение может угнать сессию, а также другие файлы приложения
- $1500 Server Side Request Forgery
- No bounty Session Hijacking leads to full control of account by attacker
- $1500 Path traversal lead to LFR via [CVE-2019-3394]
- No bounty Cross-Site Scripting through search form on mtnplay.co.zm
- No bounty [www.███] Reflected Cross-Site Scripting
- $11689 View Only to Root Privilege Escalation on UniFi Protect
- $3500 XSS at https://exchangemarketplace.com/blogsearch
- $15000 Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application
- $7500 Signedness issue in ClassInfo message handler leads to RCE on CS:GO client
- $3000 HackerOne Jira integration plugin Leaked JWT to unauthorized jira users
- $15000 RCE on build server via misconfigured pip install
Disclosed by vulnerability type
| Vulnerability Type | Statistics | Most Disclosed |
|---|---|---|
None suppliedClick here to view disclosed reports. |
169 reports 940 disclosed |
Mailru 55 disclosed |
Cross-site Scripting (XSS) - GenericClick here to view disclosed reports. |
119 reports 877 disclosed |
Mailru 71 disclosed |
Information DisclosureClick here to view disclosed reports. |
162 reports 843 disclosed |
Hackerone 97 disclosed |
Violation of Secure Design PrinciplesClick here to view disclosed reports. |
151 reports 656 disclosed |
Hackerone 78 disclosed |
Improper Authentication - GenericClick here to view disclosed reports. |
119 reports 564 disclosed |
Shopify 42 disclosed |
Cross-Site Request Forgery (CSRF)Click here to view disclosed reports. |
92 reports 352 disclosed |
Mailru 20 disclosed |
Cross-site Scripting (XSS) - StoredClick here to view disclosed reports. |
74 reports 324 disclosed |
Mailru 52 disclosed |
Denial of ServiceClick here to view disclosed reports. |
81 reports 302 disclosed |
Shopify-scripts 80 disclosed |
Privilege EscalationClick here to view disclosed reports. |
89 reports 284 disclosed |
Newrelic 28 disclosed |
Cross-site Scripting (XSS) - ReflectedClick here to view disclosed reports. |
69 reports 235 disclosed |
Mailru 53 disclosed |
Open RedirectClick here to view disclosed reports. |
91 reports 228 disclosed |
Shopify 17 disclosed |
Improper Access Control - GenericClick here to view disclosed reports. |
79 reports 217 disclosed |
Shopify 18 disclosed |
Code InjectionClick here to view disclosed reports. |
68 reports 180 disclosed |
Deptofdefense 18 disclosed |
SQL InjectionClick here to view disclosed reports. |
47 reports 174 disclosed |
Mailru 40 disclosed |
Command Injection - GenericClick here to view disclosed reports. |
62 reports 157 disclosed |
Nodejs-ecosystem 22 disclosed |
Memory Corruption - GenericClick here to view disclosed reports. |
41 reports 150 disclosed |
Shopify-scripts 45 disclosed |
Business Logic ErrorsClick here to view disclosed reports. |
62 reports 149 disclosed |
Legalrobot 12 disclosed |
Cryptographic Issues - GenericClick here to view disclosed reports. |
74 reports 148 disclosed |
Twitter 10 disclosed |
Insecure Direct Object Reference (IDOR)Click here to view disclosed reports. |
53 reports 140 disclosed |
Mailru 21 disclosed |
Server-Side Request Forgery (SSRF)Click here to view disclosed reports. |
53 reports 130 disclosed |
Gitlab 16 disclosed |
Cross-site Scripting (XSS) - DOMClick here to view disclosed reports. |
46 reports 100 disclosed |
Mailru 16 disclosed |
UI Redressing (Clickjacking)Click here to view disclosed reports. |
41 reports 97 disclosed |
Legalrobot 8 disclosed |
Path TraversalClick here to view disclosed reports. |
23 reports 95 disclosed |
Nodejs-ecosystem 45 disclosed |
Brute ForceClick here to view disclosed reports. |
21 reports 41 disclosed |
Mailru 14 disclosed |
Privacy ViolationClick here to view disclosed reports. |
22 reports 37 disclosed |
Nordvpn 6 disclosed |
HTTP Request SmugglingClick here to view disclosed reports. |
19 reports 28 disclosed |
Paypal 4 disclosed |
OS Command InjectionClick here to view disclosed reports. |
16 reports 27 disclosed |
Starbucks 4 disclosed |
XML External Entities (XXE)Click here to view disclosed reports. |
17 reports 25 disclosed |
Mailru 4 disclosed |
Heap OverflowClick here to view disclosed reports. |
12 reports 23 disclosed |
Ibb-perl 6 disclosed |
Out-of-bounds ReadClick here to view disclosed reports. |
6 reports 23 disclosed |
Nodejs-ecosystem 10 disclosed |
Buffer Over-readClick here to view disclosed reports. |
9 reports 23 disclosed |
Ibb-php 8 disclosed |
CRLF InjectionClick here to view disclosed reports. |
17 reports 22 disclosed |
Vkcom 2 disclosed |
Classic Buffer OverflowClick here to view disclosed reports. |
9 reports 22 disclosed |
Valve 12 disclosed |
Information Exposure Through an Error MessageClick here to view disclosed reports. |
17 reports 21 disclosed |
Gitlab 3 disclosed |
Improper AuthorizationClick here to view disclosed reports. |
9 reports 21 disclosed |
Razer 5 disclosed |
Cleartext Storage of Sensitive InformationClick here to view disclosed reports. |
15 reports 20 disclosed |
Deptofdefense 3 disclosed |
NULL Pointer DereferenceClick here to view disclosed reports. |
6 reports 19 disclosed |
Shopify-scripts 8 disclosed |
PhishingClick here to view disclosed reports. |
13 reports 18 disclosed |
Mailru 4 disclosed |
Use After FreeClick here to view disclosed reports. |
9 reports 15 disclosed |
Ibb-php 6 disclosed |
Man-in-the-MiddleClick here to view disclosed reports. |
10 reports 14 disclosed |
Portswigger 4 disclosed |
Insufficient Session ExpirationClick here to view disclosed reports. |
13 reports 14 disclosed |
Visma 2 disclosed |
Improper Input ValidationClick here to view disclosed reports. |
10 reports 14 disclosed |
Mailru 3 disclosed |
Information Exposure Through Debug InformationClick here to view disclosed reports. |
12 reports 13 disclosed |
Dropcontact 2 disclosed |
Deserialization of Untrusted DataClick here to view disclosed reports. |
10 reports 12 disclosed |
Deptofdefense 3 disclosed |
Stack OverflowClick here to view disclosed reports. |
8 reports 11 disclosed |
Valve 3 disclosed |
Cleartext Transmission of Sensitive InformationClick here to view disclosed reports. |
9 reports 10 disclosed |
Uber 2 disclosed |
Information Exposure Through Directory ListingClick here to view disclosed reports. |
5 reports 10 disclosed |
Nextcloud 3 disclosed |
Improper Certificate ValidationClick here to view disclosed reports. |
9 reports 10 disclosed |
Nextcloud 2 disclosed |
HTTP Response SplittingClick here to view disclosed reports. |
7 reports 9 disclosed |
Brave 2 disclosed |
Weak Password Recovery Mechanism for Forgotten PasswordClick here to view disclosed reports. |
7 reports 9 disclosed |
Wakatime 3 disclosed |
Insecure Storage of Sensitive InformationClick here to view disclosed reports. |
5 reports 9 disclosed |
Mailru 3 disclosed |
Modification of Assumed-Immutable Data (MAID)Click here to view disclosed reports. |
3 reports 9 disclosed |
Nodejs-ecosystem 7 disclosed |
Session FixationClick here to view disclosed reports. |
6 reports 8 disclosed |
Legalrobot 2 disclosed |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')Click here to view disclosed reports. |
7 reports 8 disclosed |
Hackerone 2 disclosed |
Weak Cryptography for PasswordsClick here to view disclosed reports. |
5 reports 7 disclosed |
Weblate 2 disclosed |
Resource InjectionClick here to view disclosed reports. |
7 reports 7 disclosed |
Owncloud 1 disclosed |
Use of Hard-coded CredentialsClick here to view disclosed reports. |
7 reports 7 disclosed |
Zomato 1 disclosed |
Client-Side Enforcement of Server-Side SecurityClick here to view disclosed reports. |
5 reports 7 disclosed |
Newrelic 3 disclosed |
Unrestricted Upload of File with Dangerous TypeClick here to view disclosed reports. |
5 reports 7 disclosed |
Visma 2 disclosed |
MisconfigurationClick here to view disclosed reports. |
6 reports 7 disclosed |
Line 2 disclosed |
Remote File InclusionClick here to view disclosed reports. |
6 reports 6 disclosed |
Ruby 1 disclosed |
Insufficiently Protected CredentialsClick here to view disclosed reports. |
6 reports 6 disclosed |
Mixmax 1 disclosed |
Array Index UnderflowClick here to view disclosed reports. |
5 reports 6 disclosed |
Valve 2 disclosed |
Password in Configuration FileClick here to view disclosed reports. |
5 reports 5 disclosed |
Torproject 1 disclosed |
Improper Null TerminationClick here to view disclosed reports. |
4 reports 5 disclosed |
Ibb-php 2 disclosed |
Externally Controlled Reference to a Resource in Another SphereClick here to view disclosed reports. |
3 reports 5 disclosed |
Mailru 3 disclosed |
Missing Authentication for Critical FunctionClick here to view disclosed reports. |
4 reports 5 disclosed |
Paypal 2 disclosed |
Forced BrowsingClick here to view disclosed reports. |
4 reports 4 disclosed |
Ubnt 1 disclosed |
Reliance on Cookies without Validation and Integrity Checking in a Security DecisionClick here to view disclosed reports. |
4 reports 4 disclosed |
Cuvva 1 disclosed |
Time-of-check Time-of-use (TOCTOU) Race ConditionClick here to view disclosed reports. |
4 reports 4 disclosed |
Shopify 1 disclosed |
Authentication Bypass Using an Alternate Path or ChannelClick here to view disclosed reports. |
4 reports 4 disclosed |
Gitlab 1 disclosed |
Double FreeClick here to view disclosed reports. |
3 reports 3 disclosed |
Shopify-scripts 1 disclosed |
Use of a Key Past its Expiration DateClick here to view disclosed reports. |
3 reports 3 disclosed |
Ubnt 1 disclosed |
Write-what-where ConditionClick here to view disclosed reports. |
3 reports 3 disclosed |
Shopify-scripts 1 disclosed |
Use of a Broken or Risky Cryptographic AlgorithmClick here to view disclosed reports. |
3 reports 3 disclosed |
Hackerone 1 disclosed |
Integer OverflowClick here to view disclosed reports. |
3 reports 3 disclosed |
Ibb-python 1 disclosed |
Integer UnderflowClick here to view disclosed reports. |
3 reports 3 disclosed |
Ibb-perl 1 disclosed |
Information Exposure Through Sent DataClick here to view disclosed reports. |
3 reports 3 disclosed |
Chaturbate 1 disclosed |
Buffer UnderflowClick here to view disclosed reports. |
2 reports 3 disclosed |
Ibb-php 2 disclosed |
Plaintext Storage of a PasswordClick here to view disclosed reports. |
3 reports 3 disclosed |
Midpoint_h1c 1 disclosed |
Reliance on Untrusted Inputs in a Security DecisionClick here to view disclosed reports. |
3 reports 3 disclosed |
Datastax 1 disclosed |
Incorrect AuthorizationClick here to view disclosed reports. |
3 reports 3 disclosed |
Stripo 1 disclosed |
File and Directory Information ExposureClick here to view disclosed reports. |
3 reports 3 disclosed |
Solana-bbp 1 disclosed |
Allocation of Resources Without Limits or ThrottlingClick here to view disclosed reports. |
2 reports 3 disclosed |
Solana-bbp 2 disclosed |
Missing Required Cryptographic StepClick here to view disclosed reports. |
2 reports 2 disclosed |
Phabricator 1 disclosed |
Inadequate Encryption StrengthClick here to view disclosed reports. |
2 reports 2 disclosed |
Weblate 1 disclosed |
Use of Inherently Dangerous FunctionClick here to view disclosed reports. |
2 reports 2 disclosed |
Brave 1 disclosed |
Type ConfusionClick here to view disclosed reports. |
2 reports 2 disclosed |
Coinbase 1 disclosed |
Improper Neutralization of HTTP Headers for Scripting SyntaxClick here to view disclosed reports. |
2 reports 2 disclosed |
Weblate 1 disclosed |
Execution with Unnecessary PrivilegesClick here to view disclosed reports. |
1 reports 2 disclosed |
Evernote 2 disclosed |
MalwareClick here to view disclosed reports. |
1 reports 2 disclosed |
Valve 2 disclosed |
Unverified Password ChangeClick here to view disclosed reports. |
2 reports 2 disclosed |
Khanacademy 1 disclosed |
Improper Check or Handling of Exceptional ConditionsClick here to view disclosed reports. |
1 reports 2 disclosed |
Innogames 2 disclosed |
Improper Privilege ManagementClick here to view disclosed reports. |
2 reports 2 disclosed |
Nextcloud 1 disclosed |
Missing AuthorizationClick here to view disclosed reports. |
2 reports 2 disclosed |
Visma 1 disclosed |
LDAP InjectionClick here to view disclosed reports. |
1 reports 2 disclosed |
Nodejs-ecosystem 2 disclosed |
User Interface (UI) Misrepresentation of Critical InformationClick here to view disclosed reports. |
2 reports 2 disclosed |
Mailru 1 disclosed |
Incorrect Calculation of Buffer SizeClick here to view disclosed reports. |
1 reports 1 disclosed |
Legalrobot 1 disclosed |
Reusing a Nonce, Key Pair in EncryptionClick here to view disclosed reports. |
1 reports 1 disclosed |
Internet 1 disclosed |
Missing Encryption of Sensitive DataClick here to view disclosed reports. |
1 reports 1 disclosed |
Cloudflare 1 disclosed |
Key Exchange without Entity AuthenticationClick here to view disclosed reports. |
1 reports 1 disclosed |
Semrush 1 disclosed |
Buffer Under-readClick here to view disclosed reports. |
1 reports 1 disclosed |
Ruby 1 disclosed |
Use of Externally-Controlled Format StringClick here to view disclosed reports. |
1 reports 1 disclosed |
Ubnt 1 disclosed |
Reliance on Reverse DNS Resolution for a Security-Critical ActionClick here to view disclosed reports. |
1 reports 1 disclosed |
Shipt 1 disclosed |
Improper Handling of Insufficient Permissions or PrivilegesClick here to view disclosed reports. |
1 reports 1 disclosed |
Razer 1 disclosed |
Use of Hard-coded Cryptographic KeyClick here to view disclosed reports. |
1 reports 1 disclosed |
Slack 1 disclosed |
Exposed Dangerous Method or FunctionClick here to view disclosed reports. |
1 reports 1 disclosed |
Stripo 1 disclosed |
Security Through ObscurityClick here to view disclosed reports. |
1 reports 1 disclosed |
Twitter 1 disclosed |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)Click here to view disclosed reports. |
1 reports 1 disclosed |
Hannob 1 disclosed |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)Click here to view disclosed reports. |
1 reports 1 disclosed |
Grammarly 1 disclosed |
Improper Handling of URL Encoding (Hex Encoding)Click here to view disclosed reports. |
1 reports 1 disclosed |
Razer 1 disclosed |
XML InjectionClick here to view disclosed reports. |
1 reports 1 disclosed |
Topcoder 1 disclosed |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)Click here to view disclosed reports. |
1 reports 1 disclosed |
Zomato 1 disclosed |
Use of Hard-coded PasswordClick here to view disclosed reports. |
1 reports 1 disclosed |
Deptofdefense 1 disclosed |
Improper Export of Android Application ComponentsClick here to view disclosed reports. |
1 reports 1 disclosed |
Tiktok 1 disclosed |
Download of Code Without Integrity CheckClick here to view disclosed reports. |
1 reports 1 disclosed |
Yelp 1 disclosed |