| Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection |
Open Redirect |
hacker-kartel |
High |
2026-06-02 |
| Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption |
None supplied |
bereza4321 |
Low |
2026-05-05 |
| HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger |
None supplied |
zorixu |
Low |
2026-02-26 |
| The role "CI-driven scan initiator" provides excessive read access |
Privilege Escalation |
osama-hamad |
Low |
2026-01-02 |
| DNS Rebinding SSRF in Burp Suite MCP Server Enables Internal Network Access via send_http1_request Tool |
Server-Side Request Forgery (SSRF) |
farmer |
None |
2025-10-08 |
| cgi scripts wordlist entry for windmail.exe has payload that sends arbitrary file read result to third-party |
Information Disclosure |
floyd |
Low |
2025-03-13 |
| Burp Suite extensions can execute arbitrary code |
None supplied |
iamunixtz |
High |
2025-02-26 |
| A user with only [MODIFY_SETTINGS] permmision could takeover any user accounts |
Improper Access Control - Generic |
osama-hamad |
Low |
2024-05-20 |
| Changing the administrator password via admin console does not invalidate other sessions |
Improper Authentication - Generic |
osama-hamad |
Low |
2024-05-20 |
| Incorrect logic when buy one more license which may lead to extend the expire date of existing license |
Business Logic Errors |
liru |
No rating |
2024-04-16 |
| [portswigger.net] Path Traversal al /cms/audioitems |
Path Traversal |
0xd0m7 |
High |
2024-04-04 |
| CSP Bypass and escalation of https://hackerone.com/reports/2279346 |
Business Logic Errors |
priyanshusharma9789 |
High |
2024-02-23 |
| CSP bypass on PortSwigger.net using Google script resources |
Cross-site Scripting (XSS) - Reflected |
joaxcar |
Medium |
2024-02-18 |
| Title: Deceptive Manipulation of HTTP to HTTPS with VPN in Burp Suite |
Cleartext Transmission of Sensitive Information |
rexifylo |
Medium |
2023-10-31 |
| RCE of Burp Scanner / Crawler via Clickjacking |
Command Injection - Generic |
mattaustin |
High |
2023-10-10 |
| Business Logic, currency arbitrage - Possibility to pay less than the price in USD |
Business Logic Errors |
xctzn |
Medium |
2022-10-26 |
| Redirection in Repeater & Intruder Tab |
Open Redirect |
mr_vrush |
Low |
2022-08-11 |
| Information disclosure on error message |
Information Exposure Through an Error Message |
cometome780 |
Low |
2021-11-15 |
| No Rate Limit On Regenerate Password on Portswigger |
None supplied |
thespiritman |
None |
2021-09-13 |
| RCE in 'Copy as Node Request' BApp via code injection |
Code Injection |
ryotak |
None |
2021-04-22 |
| HTML Injection in Swing can disclose netNTLM hash or cause DoS |
Information Disclosure |
issuefinder |
Medium |
2021-03-29 |
| SMTP interaction theft via MITM |
Cryptographic Issues - Generic |
duesee |
Medium |
2020-11-04 |
| Build fetches jars over HTTP |
Man-in-the-Middle |
jlleitschuh |
Medium |
2019-06-10 |
| Build fetches jars over HTTP |
Man-in-the-Middle |
jlleitschuh |
Medium |
2019-06-10 |
| Build fetches jars over HTTP |
Man-in-the-Middle |
jlleitschuh |
Medium |
2019-06-10 |
| Browser Self XSS Protection not implemented |
Information Disclosure |
allenaleen |
No rating |
2018-09-26 |
| Activat burp suite pro with the old license after transfared to anothe account |
Business Logic Errors |
egyptghost1 |
None |
2018-07-19 |
| burp does not validate the common name of the presented collaborator server certificate |
Man-in-the-Middle |
morisson |
Medium |
2018-06-13 |
| Leak of Platform Authentication credentials via Repeater |
Information Disclosure |
jupenur |
Low |
2018-06-13 |
| Improper Certificate Validation |
Improper Certificate Validation |
da3mon |
Low |
2018-01-02 |
| Misconfiguration: Missing Custom Error Page (CWE-12 & CWE-756) |
None supplied |
tarwadahorse |
No rating |
2017-05-16 |
| Email Spoofing |
Violation of Secure Design Principles |
dhamu007 |
Low |
2017-02-14 |
| HTTP OPTION Method is Enabled on portswigger.net |
Violation of Secure Design Principles |
wragg-s |
Low |
2016-12-27 |
| JSBeautifier BApp: Race condition leads to memory disclosure |
Memory Corruption - Generic |
jelmer |
High |
2016-12-07 |
| Order-phishing via Payment ID URL |
Cross-Site Request Forgery (CSRF) |
sp1d3rs |
Low |
2016-11-30 |
| XSS in IE11 on portswigger.net via Flash |
Cross-site Scripting (XSS) - Generic |
opnsec |
No rating |
2016-11-30 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles