| Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis |
Uncontrolled Resource Consumption |
rorkh |
Critical |
2026-05-06 |
| Connection Count Bug in Monero Node Enables Outbound Peer Reset Attack |
Privacy Violation |
yulge |
No rating |
2026-05-06 |
| Reported Denial of Service |
Uncontrolled Resource Consumption |
jehrenhofermagicgrants |
No rating |
2026-04-06 |
| Reported RPC Overflow |
Integer Overflow |
jehrenhofermagicgrants |
No rating |
2026-04-06 |
| Dynamic fee algorithm doesn't check for zero fee |
Uncontrolled Resource Consumption |
sech1 |
Low |
2025-05-23 |
| RPC service DOS |
Uncontrolled Resource Consumption |
ptrstr |
Medium |
2025-05-23 |
| Transactions in invalid blocks are kept in tx-pool without undergoing certain checks. |
None supplied |
boog900 |
No rating |
2025-04-23 |
| A peer can remotely fill the pending block queue to an extremely high size, with blocks that will never leave the queue. |
None supplied |
boog900 |
No rating |
2025-04-23 |
| Remote memory exhaustion in Epee RPC stack under zero Receive Window |
Uncontrolled Resource Consumption |
sagewilder2022 |
High |
2025-04-23 |
| Spamming highly nested JSON RPC requests cause node to disconnect from p2p network |
Uncontrolled Resource Consumption |
asurar0 |
No rating |
2025-04-23 |
| low-level p2p ping + tcp flooding leads to a remote crash in monerod |
None supplied |
padillac |
Critical |
2025-04-14 |
| [Monero wallet RPC] File precreation to file ownership and credentials leak |
Improper Access Control - Generic |
selmelc |
No rating |
2024-09-04 |
| Reentrancy attack in eth-monero atomic swap |
Improper Access Control - Generic |
farinavito123 |
No rating |
2023-04-20 |
| monerod JSON RPC server remote DoS |
Uncontrolled Resource Consumption |
m31007 |
Medium |
2022-09-12 |
| RPC call crashes node |
Uncontrolled Resource Consumption |
xfang |
High |
2022-08-20 |
| Misconfiguration in build environment allows DLL preloading attack |
None supplied |
nim4 |
Low |
2022-01-29 |
| DLL hijacking in Monero GUI for Windows 0.17.3.0 would allow an attacker to perform remote command execution |
Code Injection |
fukuyama |
Medium |
2021-12-30 |
| Array Index Underflow--http rpc |
Array Index Underflow |
minerscan |
High |
2021-10-11 |
| Hardware Wallets Do Not Check Unlock TIme |
Man-in-the-Middle |
thecharlatan |
Medium |
2021-09-12 |
| Unix time unlock_time values have dangerous validation rules enabling a number of exploits |
Business Logic Errors |
thecharlatan |
High |
2021-09-12 |
| Malicious get_random_rct_outs.bin rpc can cause a near-infinite loop |
Denial of Service |
ahook |
High |
2018-09-29 |
| Stack Overflow in JSON RPC Server |
Stack Overflow |
talko |
No rating |
2018-09-29 |
| Constant-time comparison is not always implemented; critical areas are vulnerable to key-timing attacks |
Missing Required Cryptographic Step |
anonimal |
Critical |
2018-08-06 |
| Trusted daemon check fails when proxied through torsocks or proxychains |
Privacy Violation |
equim |
Low |
2018-08-02 |
| Misreporting of received amount by show_transfers |
Business Logic Errors |
moneromooo |
High |
2018-08-02 |
| epee will accept an arbitrary amount of leading line-breaks in an http request |
Denial of Service |
ahook |
Low |
2018-08-02 |
| monerod can be disabled by a well-timed TCP reset packet |
Denial of Service |
ahook |
Medium |
2018-08-02 |
| A bug in the Monero wallet balance can enable theft from exchanges |
Business Logic Errors |
jagerman |
Critical |
2018-08-02 |
| Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs |
Business Logic Errors |
phiren |
High |
2018-07-27 |
| forum.getmonero.org Shell upload |
Code Injection |
kaulse |
High |
2018-07-27 |
| Monero Website & Kovri on your policy are returning 404 not found. |
Business Logic Errors |
axolotl |
None |
2018-04-25 |
| TabNabbing issue (due to taget=_blank) |
None supplied |
ursa |
No rating |
2018-04-25 |
| Out-of-bounds read when importing corrupt blockchain with monero-blockchain-import |
Out-of-bounds Read |
ovrflow |
Low |
2018-04-25 |
| Buffer out of bound read in miniupnpc xml parser |
Buffer Over-read |
yukichen |
Low |
2018-04-25 |
| Monero GUI not linked with /DYNAMICBASE or hardening on windows, no ASLR |
None supplied |
flxflndy_ |
No rating |
2018-03-18 |
| Corrupt RPC responses from remote daemon nodes can lead to transaction tracing |
Privacy Violation |
monero-hax123 |
Medium |
2018-03-16 |
| remote access to localhost daemon, can issue jsonrpc commands |
Cross-Site Request Forgery (CSRF) |
bugbound |
Low |
2018-02-22 |
| Kovri: potential buffer over-read in garlic clove handling + I2NP message creation |
Information Disclosure |
aerodudrizzt |
High |
2017-12-05 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles