| [last-commit-log] Command Injection |
Command Injection - Generic |
bilk0h |
High |
2020-11-29 |
| [systeminformation] Command Injection via insecure command formatting |
Command Injection - Generic |
effectrenan |
Critical |
2020-11-16 |
| [node-downloader-helper] Path traversal via Content-Disposition header |
Path Traversal |
ryotak |
Medium |
2020-11-11 |
| [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure |
Information Disclosure |
mik317 |
Medium |
2020-10-29 |
| [ts-dot-prop] Prototype Pollution |
None supplied |
prathis |
Medium |
2020-10-29 |
| [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files |
Path Traversal |
ryotak |
Low |
2020-10-29 |
| [nested-property] Prototype Pollution |
Modification of Assumed-Immutable Data (MAID) |
johnssimon007 |
Medium |
2020-10-27 |
| [gfc] Command Injection via insecure command formatting |
Command Injection - Generic |
d3lla |
Critical |
2020-10-27 |
| [http-live-simulator] Application-level DoS |
Denial of Service |
ryotak |
Medium |
2020-10-27 |
| [create-git] RCE via insecure command formatting |
Code Injection |
mik317 |
Critical |
2020-10-26 |
| [json8-merge-patch] Prototype Pollution |
Modification of Assumed-Immutable Data (MAID) |
gkmr |
High |
2020-10-18 |
| [freespace] Command Injection due to Lack of Sanitization |
Command Injection - Generic |
ansuj |
Medium |
2020-10-14 |
| [tianma-static] Security issue with XSS. |
Cross-site Scripting (XSS) - Stored |
wooeong22 |
No rating |
2020-10-12 |
| [m-server] XSS reflected because path does not escapeHtml |
Cross-site Scripting (XSS) - Reflected |
0xd0ff |
No rating |
2020-09-28 |
| [hnzserver] Path Traversal allowing to read any files on the server |
Path Traversal |
lightangel1412 |
High |
2020-09-24 |
| [http_server] Path Traversal allowing to read any files on the server |
Path Traversal |
lightangel1412 |
High |
2020-09-24 |
| [snekserve] Stored XSS via filenames HTML formatted |
Cross-site Scripting (XSS) - Stored |
mik317 |
Medium |
2020-09-24 |
| [git-lib] RCE via insecure command formatting |
Code Injection |
mik317 |
Medium |
2020-09-24 |
| [gity] RCE via insecure command formatting |
Code Injection |
mik317 |
Medium |
2020-09-24 |
| property-expr - Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
ahihi |
High |
2020-09-24 |
| [commit-msg] RCE via insecure command formatting |
Code Injection |
mik317 |
Medium |
2020-09-24 |
| [@knutkirkhorn/free-space] - Command Injection through Lack of Sanitization |
Command Injection - Generic |
ansuj |
Medium |
2020-09-18 |
| [authmagic-timerange-stateless-core] Improper Authentication |
Improper Authentication - Generic |
ermilov |
High |
2020-09-16 |
| [authmagic-timerange-stateless-core] Improper Authentication |
Improper Authentication - Generic |
ermilov |
High |
2020-09-16 |
| [keyd] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
d3lla |
High |
2020-09-14 |
| [flsaba] Stored XSS in the file and directory name when directories listing |
Cross-site Scripting (XSS) - Stored |
d3lla |
Low |
2020-09-14 |
| [objtools] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
d3lla |
High |
2020-09-14 |
| [extend-merge] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
d3lla |
High |
2020-09-06 |
| [static-server-gx] Path Traversal allowing to read any files on the server |
Path Traversal |
lightangel1412 |
High |
2020-09-03 |
| [sirloin] Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
bp0lr |
High |
2020-08-30 |
| [hangersteak] Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
bp0lr |
High |
2020-08-30 |
| [bl] Uninitialized memory exposure via negative .consume() |
Buffer Over-read |
chalker |
High |
2020-08-27 |
| [notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser |
Code Injection |
phra |
High |
2020-08-27 |
| [json-bigint] DoS via `__proto__` assignment |
Denial of Service |
chalker |
High |
2020-08-26 |
| [min-http-server] List any file in the folder by using path traversal. |
Path Traversal |
toannc123 |
High |
2020-08-26 |
| [windows-edge] RCE via insecure command formatting |
Code Injection |
mik317 |
Critical |
2020-08-25 |
| Prototype pollution attack (lodash) |
Denial of Service |
macasun |
Medium |
2020-08-25 |
| [meemo-app] Denial of Service via LDAP Injection |
LDAP Injection |
d3lla |
Critical |
2020-08-22 |
| [cloudron-surfer] Denial of Service via LDAP Injection |
LDAP Injection |
d3lla |
Critical |
2020-08-22 |
| Prototype Pollution lodash 4.17.15 |
Denial of Service |
awarau |
High |
2020-08-21 |
| Arbitrary code execution via untrusted schemas in ajv |
Code Injection |
chalker |
Low |
2020-08-14 |
| [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer |
Denial of Service |
vrechson |
High |
2020-08-07 |
| [is-my-json-valid] ReDoS via 'style' format |
Denial of Service |
chalker |
High |
2020-07-31 |
| Arbitrary code execution via untrusted schemas in is-my-json-valid |
Code Injection |
chalker |
Medium |
2020-07-31 |
| Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS |
Denial of Service |
chalker |
Medium |
2020-07-29 |
| SQL Injection or Denial of Service due to a Prototype Pollution |
SQL Injection |
phra |
Critical |
2020-07-24 |
| [diskstats] Command Injection via insecure command concatenation |
Command Injection - Generic |
d3lla |
Critical |
2020-07-23 |
| [express-cart] Wide CSRF in application |
Cross-Site Request Forgery (CSRF) |
saddeann |
Medium |
2020-07-21 |
| [Uppy] Internal Server side request forgery (bypass of #786956) |
Server-Side Request Forgery (SSRF) |
mahmoud0x00 |
Critical |
2020-06-28 |
| bunyan - RCE via insecure command formatting |
Code Injection |
ahihi |
High |
2020-06-27 |
| [wappalyzer] ReDoS allows an attacker to completely break Wappalyzer |
Denial of Service |
vrechson |
High |
2020-06-18 |
| [devcert] Command Injection via insecure command formatting |
Command Injection - Generic |
d3lla |
Critical |
2020-06-15 |
| OS Command Injection on Jison [all-parser-ports] |
OS Command Injection |
0x48piraj |
Medium |
2020-05-28 |
| Pixel flood attack cause the javascript heap out of memory |
Denial of Service |
mayaseven |
Medium |
2020-05-21 |
| [logkitty] RCE via insecure command formatting |
Code Injection |
mik317 |
High |
2020-05-09 |
| Prototype pollution attack (lodash) |
Allocation of Resources Without Limits or Throttling |
posix |
High |
2020-04-28 |
| [Total.js] Path traversal vulnerability allows to read files outside public directory |
Path Traversal |
visat |
Medium |
2020-04-25 |
| [utils-extend] Prototype pollution |
Modification of Assumed-Immutable Data (MAID) |
sontungatm |
Critical |
2020-04-02 |
| [htmr] DOM-based XSS |
Cross-site Scripting (XSS) - DOM |
visat |
Medium |
2020-03-15 |
| Server-Side Request Forgery (SSRF) in Ghost CMS |
Server-Side Request Forgery (SSRF) |
whoareme |
Medium |
2020-03-09 |
| Server Side Request Forgery in Uppy npm module |
Server-Side Request Forgery (SSRF) |
eslam-shieldfy |
High |
2020-03-02 |
| [http_server] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Stored |
lightangel1412 |
Low |
2019-09-13 |
| [untitled-model] sql injection |
SQL Injection |
verichains |
High |
2019-06-18 |
| Prototype Pollution Vulnerability in cached-path-relative Package |
Denial of Service |
cris_semmle |
High |
2018-11-02 |
| [tianma-static] Stored xss on filename |
Cross-site Scripting (XSS) - Stored |
abdilahrf_ |
Critical |
2018-11-02 |
| [takeapeek] Path traversal allow to expose directory and files |
Path Traversal |
abdilahrf_ |
High |
2018-11-02 |
| [knightjs] Path Traversal allows to read content of arbitrary files |
Path Traversal |
abdilahrf_ |
High |
2018-11-02 |
| Prototype pollution attack (lodash / constructor.prototype) |
Denial of Service |
asgerf |
Low |
2018-10-30 |
| Code Injection Vulnerability in morgan Package |
Code Injection |
cris_semmle |
Medium |
2018-10-28 |
| Samlify is vulnerable to signature wrapping |
Cryptographic Issues - Generic |
webtonull |
High |
2018-10-23 |
| [serve] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Stored |
tungpun |
Medium |
2018-10-19 |
| [serve] XSS via HTML tag injection in directory lisiting page |
Cross-site Scripting (XSS) - Stored |
skyn3t |
Medium |
2018-10-19 |
| [apex-publish-static-files] Command Injection on connectString |
Command Injection - Generic |
abdilahrf_ |
Critical |
2018-10-18 |
| Command Injection Vulnerability in libnmap Package |
Command Injection - Generic |
cris_semmle |
Medium |
2018-10-14 |
| Prototype pollution attack (merge.recursive) |
Denial of Service |
asgerf |
Low |
2018-09-28 |
| Prototype pollution attack (defaults-deep / constructor.prototype) |
Denial of Service |
asgerf |
Low |
2018-09-28 |
| http-live-simulator npm module is prone to path traversal attacks |
Path Traversal |
lirantal |
High |
2018-09-18 |
| [express-cart] Customer and admin email enumeration through MongoDB injection |
SQL Injection |
becojo |
High |
2018-09-11 |
| [ascii-art] Command injection |
Command Injection - Generic |
pontus_johnson |
High |
2018-09-08 |
| Command Injection is ps Package |
Command Injection - Generic |
cris_semmle |
Medium |
2018-09-07 |
| [samsung-remote] Command injection |
Command Injection - Generic |
pontus_johnson |
Critical |
2018-09-02 |
| [exceljs] Possible XSS via cell value when worksheet is displayed in browser |
Cross-site Scripting (XSS) - Generic |
bl4de |
Medium |
2018-09-01 |
| [simplehttpserver] List any file in the folder by using path traversal. |
Path Traversal |
n0n4me |
High |
2018-08-30 |
| Prototype pollution attack (extend) |
Denial of Service |
asgerf |
Critical |
2018-08-22 |
| [egg-scripts] Command injection |
Command Injection - Generic |
pontus_johnson |
High |
2018-08-19 |
| [flintcms] Account takeover due to blind MongoDB injection in password reset |
Privilege Escalation |
becojo |
Critical |
2018-08-15 |
| Arbitrary File Write through archive extraction |
Path Traversal |
danny_grander |
High |
2018-08-12 |
| Arbitrary File Write Through Archive Extraction |
None supplied |
danny_grander |
High |
2018-08-12 |
| Command Injection Vulnerability in win-fork/win-spawn Packages |
Command Injection - Generic |
cris_semmle |
High |
2018-08-10 |
| url-parse package return wrong hostname |
Open Redirect |
0x9090 |
High |
2018-07-30 |
| stored xss in scrape-metadata when reading metadata from an html page |
Cross-site Scripting (XSS) - Stored |
5ilverhawk |
High |
2018-07-27 |
| [markdown-pdf] Local file reading |
Path Traversal |
n1__ |
Medium |
2018-07-20 |
| [ponse] Path traversal in ponse module allows to read any file on server |
Path Traversal |
szkrstf |
High |
2018-07-20 |
| Stored XSS in Node-Red |
Cross-site Scripting (XSS) - Stored |
misterch0c |
High |
2018-07-18 |
| [entitlements] Command injection on the 'path' parameter |
Command Injection - Generic |
caioluders |
High |
2018-07-18 |
| [statics-server] XSS via injected iframe in file name when statics-server displays directory index in the browser |
Cross-site Scripting (XSS) - Generic |
bl4de |
Critical |
2018-07-14 |
| Privilege escalation allows any user to add an administrator |
Privilege Escalation |
patrickrbc |
Critical |
2018-07-12 |
| [m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code |
Cross-site Scripting (XSS) - Stored |
bl4de |
Medium |
2018-07-12 |
| [m-server] Path Traversal allows to display content of arbitrary file(s) from the server |
Path Traversal |
bl4de |
Medium |
2018-07-12 |
| XSS in express-useragent through HTTP User-Agent |
Cross-site Scripting (XSS) - Generic |
ibrahimd |
No rating |
2018-07-06 |
| [bruteser] Path Traversal allows to read content of arbitrary file |
Path Traversal |
bl4de |
Medium |
2018-07-04 |
| [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser |
Cross-site Scripting (XSS) - Stored |
bl4de |
Medium |
2018-07-04 |
| [serve] Server Directory Traversal |
Path Traversal |
tungpun |
Critical |
2018-07-02 |
| Privilage escalation with malicious .npmrc |
Privilege Escalation |
ginden |
High |
2018-06-30 |
| `memjs` allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage |
Denial of Service |
chalker |
Critical |
2018-06-27 |
| [buttle] Path traversal in mid-buttle module allows to read any file in the server. |
Path Traversal |
n0n4me |
Critical |
2018-06-27 |
| Insecure implementation of deserialization in cryo |
Code Injection |
greendog |
High |
2018-06-19 |
| npm packages that overlap with core node packages |
Phishing |
mlucool |
High |
2018-06-16 |
| [git-dummy-commit] Command injection on the msg parameter |
OS Command Injection |
caioluders |
Critical |
2018-06-15 |
| Insecure implementation of deserialization in funcster |
Code Injection |
greendog |
High |
2018-06-15 |
| `njwt` allocates uninitialized Buffers when number is passed in base64urlEncode input |
Out-of-bounds Read |
chalker |
Low |
2018-06-14 |
| Remote Command Execution vulnerability in pullit |
Command Injection - Generic |
lirantal |
Critical |
2018-06-14 |
| [file-static-server] Path Traversal allows to read content of arbitrary file on the server |
Path Traversal |
bl4de |
Low |
2018-06-14 |
| `utile` allocates uninitialized Buffers when number is passed in input |
Out-of-bounds Read |
chalker |
Low |
2018-06-14 |
| `put` allocates uninitialized Buffers when non-round numbers are passed in input |
Out-of-bounds Read |
chalker |
Low |
2018-06-14 |
| [mcstatic] Server Directory Traversal |
Path Traversal |
tungpun |
High |
2018-06-12 |
| [html-pages] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Generic |
tungpun |
High |
2018-06-12 |
| [public] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Generic |
tungpun |
Medium |
2018-06-12 |
| Unrestricted file upload (RCE) |
Path Traversal |
patrickrbc |
Critical |
2018-06-02 |
| [serve] Directory listing and File access even when they have been set to be ignored |
Information Exposure Through Directory Listing |
tungpun |
Critical |
2018-05-31 |
| [localhost-now] bypassing url filter which leads to read content of arbitrary file |
Path Traversal |
dienpv |
High |
2018-05-30 |
| [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash) |
Information Exposure Through Directory Listing |
tungpun |
Critical |
2018-05-30 |
| Command injection in 'pdf-image' |
Command Injection - Generic |
defmax |
Medium |
2018-05-29 |
| [sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name |
Cross-site Scripting (XSS) - Stored |
bl4de |
Medium |
2018-05-29 |
| [hekto] open redirect when target domain name is used as html filename on server |
Open Redirect |
brainpanic |
Low |
2018-05-20 |
| [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl |
Path Traversal |
bl4de |
Critical |
2018-05-19 |
| [query-mysql] SQL Injection due to lack of user input sanitization allows to run arbitrary SQL queries when fetching data from database |
SQL Injection |
bl4de |
Critical |
2018-05-19 |
| The react-marked-markdown module allows XSS injection in href values. |
Cross-site Scripting (XSS) - Generic |
ronperris |
Critical |
2018-05-13 |
| `base64-url` below 2.0 allocates uninitialized Buffers when number is passed in input |
Out-of-bounds Read |
chalker |
High |
2018-05-12 |
| `sql` does not properly escape parameters when building SQL queries, resulting in potential SQLi |
SQL Injection |
chalker |
Medium |
2018-05-12 |
| `npmconf` (and `npm` js api) allocate and write to disk uninitialized memory content when a typed number is passed as input on Node.js 4.x |
Out-of-bounds Read |
chalker |
High |
2018-05-12 |
| `byte` allocates uninitialized buffers and reads data from them past the initialized length |
Out-of-bounds Read |
chalker |
Medium |
2018-05-11 |
| `base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below |
Out-of-bounds Read |
chalker |
High |
2018-05-11 |
| `macaddress` concatenates unsanitized input into exec() command |
Command Injection - Generic |
chalker |
Critical |
2018-05-11 |
| `command-exists` concatenates unsanitized input into exec()/execSync() commands |
Command Injection - Generic |
chalker |
Critical |
2018-05-11 |
| [buttle] Remote Command Execution via unsanitized PHP filename when it's run with --php-bin flag |
OS Command Injection |
bl4de |
Critical |
2018-05-11 |
| Bypass to defective fix of Path Traversal |
Path Traversal |
caioluders |
High |
2018-05-11 |
| `fs-path` concatenates unsanitized input into exec()/execSync() commands |
Command Injection - Generic |
chalker |
Critical |
2018-05-11 |
| `stringstream` allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below |
Out-of-bounds Read |
chalker |
Medium |
2018-05-11 |
| `superstatic` is vulnerable to path traversal on Windows |
Path Traversal |
chalker |
High |
2018-04-29 |
| `foreman` is vulnerable to ReDoS in path |
Denial of Service |
chalker |
High |
2018-04-28 |
| `concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator |
Out-of-bounds Read |
chalker |
Medium |
2018-04-28 |
| [angular-http-server] Server Directory Traversal |
Path Traversal |
tungpun |
High |
2018-04-26 |
| [cloudcmd] Stored XSS in the filename when directories listing |
Cross-site Scripting (XSS) - Generic |
tungpun |
High |
2018-04-25 |
| [mcstatic] Path Traversal allows to read content of arbitrary files |
Path Traversal |
bl4de |
High |
2018-04-24 |
| [pdfinfojs] Command Injection on filename parameter |
Command Injection - Generic |
caioluders |
High |
2018-04-19 |
| Prototype pollution attack (merge-objects) |
None supplied |
holyvier |
Medium |
2018-04-15 |
| Prototype pollution attack (merge-options) |
None supplied |
holyvier |
Low |
2018-04-15 |
| Prototype pollution attack (merge-recursive) |
None supplied |
holyvier |
Low |
2018-04-15 |
| Prototype pollution attack (deep-extend) |
None supplied |
holyvier |
Low |
2018-04-15 |
| Prototype pollution attack (deap) |
None supplied |
holyvier |
Low |
2018-04-15 |
| [glance] Stored XSS via file name allows to run arbitrary JavaScript when directory listing is displayed in browser |
Cross-site Scripting (XSS) - Stored |
bl4de |
Low |
2018-04-15 |
| [public] Stored XSS in filenames in directory served by public |
Cross-site Scripting (XSS) - Stored |
bl4de |
Low |
2018-04-15 |
| [bracket-template] Reflected XSS possible when variable passed via GET parameter is used in template |
Cross-site Scripting (XSS) - Reflected |
bl4de |
High |
2018-04-09 |
| `atob` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below |
Out-of-bounds Read |
chalker |
Medium |
2018-04-08 |
| `http-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak |
Denial of Service |
chalker |
High |
2018-04-05 |
| `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys |
Denial of Service |
chalker |
High |
2018-04-04 |
| [crud-file-server] Path Traversal allows to read arbitrary file from the server |
Path Traversal |
bl4de |
Medium |
2018-04-04 |
| `https-proxy-agent` passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak |
Denial of Service |
chalker |
High |
2018-04-02 |
| `protobufjs` is vulnerable to ReDoS when parsing crafted invalid *.proto files |
Denial of Service |
chalker |
Medium |
2018-03-31 |
| `whereis` concatenates unsanitized input into exec() command |
Command Injection - Generic |
chalker |
Critical |
2018-03-28 |
| [metascraper] Stored XSS in Open Graph meta properties read by metascrapper |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-03-28 |
| [serve] Directory listing and File access even when they have been set to be ignored. |
Information Exposure Through Directory Listing |
0xchr00t |
Critical |
2018-03-13 |
| [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server |
Path Traversal |
bl4de |
High |
2018-03-10 |
| [node-srv] Path Traversal allows to read arbitrary files from remote server |
Path Traversal |
bl4de |
High |
2018-03-07 |
| [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) |
Path Traversal |
bl4de |
High |
2018-03-06 |
| [glance] Path Traversal in glance static file server allows to read content of arbitrary file |
Path Traversal |
bl4de |
High |
2018-03-04 |
| [simple-server] HTML with iframe element can be used as filename, which might lead to load and execute malicious JavaScript |
Cross-site Scripting (XSS) - Stored |
bl4de |
High |
2018-03-02 |
| [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server |
Path Traversal |
bl4de |
High |
2018-03-01 |
| [uppy] Stored XSS due to crafted SVG file |
Cross-site Scripting (XSS) - Stored |
alyssa_herrera |
Medium |
2018-03-01 |
| [hekto] Path Traversal vulnerability allows to read content of arbitrary files |
Path Traversal |
bl4de |
High |
2018-02-26 |
| [simplehttpserver] Stored XSS in file names leads to malicious JavaScript code execution when directory listing is output in HTML |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-02-26 |
| [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-02-26 |
| [626] Path Traversal allows to read arbitrary file from remote server |
Path Traversal |
bl4de |
High |
2018-02-26 |
| [localhost-now] Path Traversal allows to read content of arbitrary file |
Path Traversal |
bl4de |
High |
2018-02-26 |
| Path Traversal on Resolve-Path |
Path Traversal |
orange |
High |
2018-02-22 |
| [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server |
Cross-site Scripting (XSS) - Stored |
bl4de |
Critical |
2018-02-17 |
| [public] Path Traversal allows to read content of arbitrary files |
Path Traversal |
bl4de |
High |
2018-02-17 |
| Prototype pollution attack (defaults-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
| Prototype pollution attack (merge-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
| Prototype pollution attack (assign-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
| Prototype pollution attack (mixin-deep) |
Denial of Service |
holyvier |
Low |
2018-02-15 |
| Prototype pollution attack (Hoek) |
Denial of Service |
holyvier |
Low |
2018-02-13 |
| Prototype pollution attack (lodash) |
Denial of Service |
holyvier |
Low |
2018-02-13 |
| [html-janitor] Passing user-controlled data to clean() leads to XSS |
Cross-site Scripting (XSS) - DOM |
bayotop |
Critical |
2018-02-09 |
| [html-janitor] Bypassing sanitization using DOM clobbering |
Business Logic Errors |
bayotop |
High |
2018-02-05 |
| Fastify denial-of-service vulnerability with large JSON payloads |
Denial of Service |
nwoltman |
Critical |
2018-01-25 |
| [serve] Directory index of arbitrary folder available due to lack of sanitization of %2e and %2f characters in url |
Path Traversal |
bl4de |
Critical |
2018-01-23 |
| [augustine] Static Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
ysx |
Medium |
2018-01-23 |
| [lactate] Static Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
ysx |
Medium |
2018-01-23 |
| [redis-commander] Reflected SWF XSS via vulnerable "clipboard.swf" component |
Cross-site Scripting (XSS) - Reflected |
ysx |
Low |
2018-01-23 |
| [serve-here] Static Web Server Directory Traversal via Crafted GET Request |
Path Traversal |
ysx |
Medium |
2018-01-10 |
| [featurebook] Specification Server Directory Traversal via Crafted Browser Request |
Path Traversal |
ysx |
Medium |
2018-01-10 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles