| Publicly accessible `█████████` endpoint exposing internal user identifiers and email addresses |
Information Disclosure |
xgoon |
Medium |
2026-02-24 |
| CVE-█████-35813 in █████ |
Relative Path Traversal |
0xr2r |
Critical |
2026-02-24 |
| Sensitive information exposed at [███] via /export_panelists_to_xlsx endpoint |
Cleartext Storage of Sensitive Information |
prakhar0x01 |
Medium |
2026-02-24 |
| ███████ - Publicly Accessible public_html Directory Exposing WordPress Configuration |
Information Disclosure |
xgoon |
Medium |
2026-02-24 |
| SQLi At `███████` via `theme_name` |
SQL Injection |
4ksh3ye |
Critical |
2026-02-24 |
| SQLi at █████ parameter |
SQL Injection |
scriptsavvy |
Critical |
2026-02-24 |
| No Rate Limiting on Password Attempts After Insecure Registration Flow cause ATO |
Improper Restriction of Authentication Attempts |
azar_man |
Medium |
2026-02-24 |
| Unauthenticated Sensitive Information Disclosure on █████████ CVE-2021-38314 |
Information Disclosure |
kuriyama |
Medium |
2025-09-02 |
| Bug Report #23JAN136 (subdomain takeover via shopify ) |
Privilege Escalation |
kuriyama |
High |
2025-09-02 |
| Bug Report #23JAN135 (subdomain takeover via shopify ) |
Privilege Escalation |
kuriyama |
High |
2025-09-02 |
| RXSS on stores on *█████████/visitorRegistration.pml via destination parameter |
Cross-site Scripting (XSS) - Reflected |
kuriyama |
Medium |
2025-09-02 |
| Order More Than Maximum Allowed Quantity |
Business Logic Errors |
blackbird_azar |
No rating |
2025-09-02 |
| Account Takeover in Password Reset Function |
Authentication Bypass |
egsec |
Critical |
2025-09-02 |
| RXSS on ██████ via customerId parameter |
Cross-site Scripting (XSS) - Reflected |
0xun7h1nk4ble |
Medium |
2025-07-28 |
| [XSS] Reflected XSS via POST request in (███████) |
Cross-site Scripting (XSS) - Reflected |
morphykutay |
Medium |
2025-06-12 |
| unauthorized access and add user and change personal information all users |
Improper Access Control - Generic |
bughunter0x7 |
Critical |
2025-05-27 |
| Customer Data Exposure via Insecure Endpoint of coupon |
Information Disclosure |
bughunter0x7 |
Medium |
2025-05-27 |
| insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218) |
Deserialization of Untrusted Data |
the_reinhardt |
Critical |
2025-05-12 |
| Users Data Exposure via Insecure Endpoint |
Information Disclosure |
bughunter0x7 |
Medium |
2025-05-12 |
| debug.log leaked [█████████] |
Information Disclosure |
imeng |
Low |
2025-05-12 |
| massive PII leakage for ███████ |
Insecure Storage of Sensitive Information |
thpless |
Medium |
2025-05-12 |
| change part of personal information all users |
Improper Access Control - Generic |
bughunter0x7 |
Critical |
2025-05-12 |
| █████████ when adding branches to your account |
Insecure Direct Object Reference (IDOR) |
kh4rish34v3n |
Critical |
2024-11-26 |
| RXSS on ████ via configUrl parameter |
Cross-site Scripting (XSS) - Reflected |
kh4rish34v3n |
Low |
2024-11-26 |
| Insecure API Response Leads to Disclosure of Hashed Passwords |
Information Disclosure |
itsmatinx |
Medium |
2024-11-26 |
| Reflected HTML Injection via contact (faq) search parameter on ██████████ |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
the-white-evil |
Medium |
2024-11-25 |
| Reflected HTML Injection via contact (faq) search parameter on ███]= |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
the-white-evil |
Medium |
2024-11-25 |
| unsubscribe anyone from all ████████ emails @ █████ |
Improper Access Control - Generic |
abfe |
Low |
2024-11-25 |
| Information Exposure due to enabled debug mode |
None supplied |
thpless |
Low |
2024-11-25 |
| phpinfo() exposed on ██████████ |
Misconfiguration |
blax17 |
Medium |
2024-11-21 |
| phpinfo() exposed on ██████████ |
Misconfiguration |
thpless |
No rating |
2024-11-21 |
| Upload profile photo and Pets addition - IDOR |
Insecure Direct Object Reference (IDOR) |
ozilll |
High |
2024-11-21 |
| RXSS on ████ via q parameter |
Cross-site Scripting (XSS) - Reflected |
mosalah1102 |
Low |
2024-11-21 |
| RXSS in ███ via S parameter |
Cross-site Scripting (XSS) - Reflected |
mosalah1102 |
Medium |
2024-11-19 |
| sensitive data-creds for database - private key |
Missing Encryption of Sensitive Data |
mosalah1102 |
Medium |
2024-11-19 |
| CSRF in Delete Pet Function |
Cross-Site Request Forgery (CSRF) |
mosalah1102 |
Medium |
2024-11-19 |
| Reflected XSS on formaction parameter |
Cross-site Scripting (XSS) - Reflected |
e5p3ctr0x96 |
Medium |
2024-11-19 |
| 0 Click account takeover via timed requests to ███████forgot-password (single-packet attack) |
Use of a Broken or Risky Cryptographic Algorithm |
0x999 |
High |
2024-07-11 |
| sqli on █████████ search functionality |
SQL Injection |
b_i_n_i_a_m |
Medium |
2024-06-25 |
| Attacker can add two free bags offered by the site at the same time. |
Business Logic Errors |
mkhmd17 |
Medium |
2024-06-25 |
| Sqli on ██████ search functionality |
SQL Injection |
b_i_n_i_a_m |
Medium |
2024-06-25 |
| Reflected xss on ████████ |
Cross-site Scripting (XSS) - Reflected |
blax17 |
Medium |
2024-06-25 |
| CSRF resulting in adding pet at ███████ |
Cross-Site Request Forgery (CSRF) |
dr34m14 |
Low |
2024-06-25 |
| Account takeover using reset password link |
Open Redirect |
haoshokunoo |
Medium |
2024-06-25 |
| CVE-2022-21371: Oracle WebLogic Server Local File Inclusion |
None supplied |
deb0con |
High |
2024-03-04 |
| Unrestricted File Upload at ██████████ |
Unrestricted Upload of File with Dangerous Type |
xplo1t |
Critical |
2024-02-19 |
| Client Side Template Injection to Stored XSS in Image Collection |
Cross-site Scripting (XSS) - Stored |
themarkib0x0 |
High |
2024-02-14 |
| IDOR in one subdomain of █████████ -> change information of pets without athorization! |
Insecure Direct Object Reference (IDOR) |
haoshokunoo |
Medium |
2024-02-14 |
| Blind SQL Injection on █████ via URI Path |
SQL Injection |
stuux |
Critical |
2024-02-14 |
| CSRF to delete a pet on ██████ |
Cross-Site Request Forgery (CSRF) |
dr34m14 |
Low |
2024-02-05 |
| Critical Unauthenticated Access to Sensitive Employee and Customer Data Including Invoice Details at ████ |
Improper Authentication - Generic |
skoll101 |
Critical |
2024-01-30 |
| No CSRF protection when adding an item to cart |
Cross-Site Request Forgery (CSRF) |
themarkib0x0 |
Low |
2024-01-30 |
| IDOR to account takeover on POST to █████████ by changing member_id parameter |
Insecure Direct Object Reference (IDOR) |
xandsz |
Critical |
2024-01-30 |
| Sensitive Information Exposed at █████ |
Information Disclosure |
m3ntor |
High |
2024-01-30 |
| Datadog api keys exposed can be used to do all the read and write access to the instance |
Information Disclosure |
harshdranjan |
Critical |
2024-01-25 |
| debug.log File Exposure that exposes (user/████) username and password at █████████ |
Cleartext Storage of Sensitive Information |
skoll101 |
High |
2023-11-15 |
| subdomain takeover at █████████ |
Misconfiguration |
skoll101 |
High |
2023-11-15 |
| **"CSRF Vulnerability in ███████ Website Allows Attackers to Change User Profile Picture at ███████"** |
None supplied |
bx00 |
Medium |
2023-11-15 |
| CSRF to delete a pet |
Cross-Site Request Forgery (CSRF) |
d0rift |
Medium |
2023-08-30 |
| Stored XSS + CSRF in "apellido" value |
Cross-site Scripting (XSS) - Stored |
never_die |
Medium |
2023-08-30 |
| Response Manipulation lead to bypass verification code while making appointment at `█████████` |
Business Logic Errors |
mo3giza |
Medium |
2023-08-30 |
| Html injection |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
ped_baq |
Medium |
2023-08-30 |
| Google dork lead to unsubscribe anyone from all Banfield emails |
Improper Access Control - Generic |
ractiurd |
Low |
2023-08-30 |
| ███████ ' can delete any animal from other account ' at ██████████ |
Insecure Direct Object Reference (IDOR) |
0xs4m |
Medium |
2023-06-23 |
| Stored XSS via ' profile ' at ███ |
Cross-site Scripting (XSS) - Stored |
0xs4m |
Medium |
2023-06-23 |
| CRLF Inection at `██████████` |
CRLF Injection |
mo3giza |
Low |
2023-06-23 |
| Information Exposure Through Directory Listing |
Information Exposure Through Directory Listing |
mo3giza |
High |
2023-06-23 |
| ' Full Account Takeover ' at █████ |
Improper Access Control - Generic |
0xs4m |
Critical |
2023-06-23 |
| ████ ' can change any account email and cannot retrieve his account and access it ' at ███ |
Insecure Direct Object Reference (IDOR) |
0xs4m |
High |
2023-06-23 |
| ████ ' can add animal to other account ' at ██████ |
Insecure Direct Object Reference (IDOR) |
0xs4m |
Medium |
2023-06-22 |
| Jolokia Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
ramzanrl |
Medium |
2022-10-27 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles