GitHub Program Statistics

View program

42 total issues disclosed

$39,117 total paid publicly

Most disclosed (12 disclosures) — Improper Access Control - Generic

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification Insecure Direct Object Reference (IDOR) ahacker1 Medium 2026-05-19
Add labels to arbitrary issues/prs & compromise github actions label checks Insecure Direct Object Reference (IDOR) ahacker1 Medium 2026-03-19
PATs without the required scope can leak issues Improper Access Control - Generic s3rdz0 Medium 2026-03-19
Missing Access Control in MigrationFile allows attacker to upload files to any Migration Insecure Direct Object Reference (IDOR) ahacker1 High 2026-03-05
Arbitrary Read of Another Users private repository without Authorization Insecure Direct Object Reference (IDOR) furbreeze High 2025-09-23
Sample report: Denial of service LLM06: Sensitive Information Disclosure ghbountyocto None 2025-08-07
Information Leakage via Clicked Link in GitHub Repository (Fingerprinting) Information Disclosure pinguluk Medium 2024-10-17
SAML Signature verification bypass allows logging into any user (with specific conditions) Improper Access Control - Generic ahacker1 Critical 2024-10-10
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in ghe-update-check Command Injection - Generic inspector-ambitious High 2024-09-17
RC Between GitHub's Repo Update REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention Misconfiguration inspector-ambitious Medium 2024-09-17
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in collectd Command Injection - Generic inspector-ambitious High 2024-09-17
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in actions-console Command Injection - Generic inspector-ambitious High 2024-09-17
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection and audit-forward Command Injection - Generic inspector-ambitious High 2024-09-13
Privilege Escalation to Root SSH Access via Pre-Receive Hook Environment in GitHub Enterprise Server None supplied inspector-ambitious High 2024-09-13
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection Command Injection - Generic inspector-ambitious High 2024-09-13
Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in syslog-ng Command Injection - Generic inspector-ambitious High 2024-09-13
Source Code and data exfiltration via Github Copilot Code Injection astrounder Low 2024-08-19
Access body and title of Internal Repo Issues in Projects Information Disclosure ahacker1 Medium 2024-07-31
GitHub Apps can access suspended installations via scoped user-to-server tokens Improper Access Control - Generic ahacker1 Medium 2024-07-31
View private repository NWO of deploy key via internal LFS API Improper Access Control - Generic ahacker1 Medium 2024-07-23
Self XSS in Tag name pattern field /<username>/<reponame>/settings/tag_protection/new Cross-site Scripting (XSS) - Generic sudi Medium 2024-04-15
Bypassing Collaborator Restrictions: Retaining Admin Access Post-Repository Transfer Improper Access Control - Generic inspector-ambitious Medium 2024-03-15
Persistent Unauthorized Administrative Access on All Organization Repositories via RC in User Conversion to Organization Improper Authentication - Generic inspector-ambitious Medium 2024-03-15
Invite tokens have Insufficient entropy in GHES Management Console Use of Insufficiently Random Values imrerad Medium 2024-01-12
RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention Misconfiguration inspector-ambitious Medium 2024-01-12
View Repo and Title of Any Private Check Run Insecure Direct Object Reference (IDOR) ahacker1 Medium 2024-01-08
GHES Management console EoP (editor to site admin) Improper Access Control - Generic imrerad High 2024-01-08
[PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions Improper Access Control - Generic archangel Medium 2024-01-03
[PATs] Token with Read-Only permissions on Issues able to modify issue comments using content write permission Improper Access Control - Generic archangel Medium 2024-01-03
Rogue collaborators and ambiguous branch names in GitHub Business Logic Errors inspector-ambitious No rating 2023-12-05
Git Reference Ambiguity in GitHub - Commit Smuggling, Account Takeover, and Remote Code Execution Resource Injection inspector-ambitious Medium 2023-11-29
Smuggling content in PR with refs/replace in GitHub Resource Injection inspector-ambitious Medium 2023-08-01
Authentication bypass on gist.github.com through SSH Certificates Improper Access Control - Generic ammar2 High 2023-04-20
Improper handling of null bytes in GitHub Actions Runner allows an attacker to set arbitrary environment variables Resource Injection ryotak Medium 2023-03-09
Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api Improper Access Control - Generic ahacker1 High 2023-01-26
Github app Privilege Escalation to Administrator/Owner of the Organization Improper Access Control - Generic vaib25vicky High 2023-01-13
Managing Pages Improper Access Control - Generic ali_shehab Medium 2022-12-22
DoS via markdown API from unauthenticated user Uncontrolled Resource Consumption legit-security Medium 2022-12-13
[Git Gud] GitHub.com Svnbridge memcached deserialization vulnerability chain leading to Remote Code Execution Deserialization of Untrusted Data ajxchapman Medium 2022-11-16
Command injection in GitHub Actions ContainerStepHost Resource Injection jupenur None 2022-11-03
Delimiter injection in GitHub Actions core.exportVariable Misconfiguration jupenur Medium 2022-08-18
CSRF protection bypass in GitHub Enterprise management console Cross-Site Request Forgery (CSRF) bitquark High 2022-04-13