| Exposure of service tokens to webpack bundle |
Information Disclosure |
a_d_a_m |
High |
2024-03-08 |
| IDOR vulnerability reveals additional information |
Insecure Direct Object Reference (IDOR) |
a_d_a_m |
Critical |
2024-03-07 |
| Lack of sanitization of the billing address in pdf invoice |
Server-Side Request Forgery (SSRF) |
a_d_a_m |
High |
2024-03-06 |
| IDOR allows information disclosure |
Insecure Direct Object Reference (IDOR) |
a_d_a_m |
High |
2024-03-05 |
| API key (api.semrush.com) leak in JS-file |
Information Disclosure |
a_d_a_m |
Medium |
2022-09-05 |
| IDOR allowing to read another user's token on the Social Media Ads service |
Improper Access Control - Generic |
a_d_a_m |
High |
2022-08-16 |
| Critically Sensitive Spring Boot Endpoints Exposed |
Improper Access Control - Generic |
a_d_a_m |
Critical |
2022-02-10 |
| php info file and sql backup at vendor's subdomain |
Information Disclosure |
rivalsec |
Low |
2021-12-08 |
| Improper input validation in projects leads to fully deny access to project resources |
Improper Input Validation |
a_d_a_m |
Medium |
2021-09-01 |
| OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage |
Information Disclosure |
yassineaboukir |
Medium |
2020-06-18 |
| IDOR in the https://market.semrush.com/ |
Improper Access Control - Generic |
albatraoz |
Critical |
2020-04-30 |
| SSRF and LFI in site-audit tool |
None supplied |
a_d_a_m |
High |
2020-04-30 |
| An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss |
Business Logic Errors |
yashrs |
High |
2020-04-02 |
| IDOR in marketing calendar tool |
Insecure Direct Object Reference (IDOR) |
a_d_a_m |
Medium |
2020-04-02 |
| Content Injection on api.semrush.com to Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
nikitastupin |
Low |
2020-04-02 |
| Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB |
Cross-site Scripting (XSS) - Reflected |
ziko_amazigh |
Low |
2020-04-02 |
| IDOR in semrush academy |
Insecure Direct Object Reference (IDOR) |
a_d_a_m |
Medium |
2020-02-28 |
| Ad Builder Display Ads Path Traversal |
Path Traversal |
ajxchapman |
Medium |
2020-02-28 |
| CORS misconfiguration which leads to the disclosure of certain data concerning the user. |
Improper Access Control - Generic |
a_d_a_m |
Low |
2020-02-15 |
| Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image |
Violation of Secure Design Principles |
seeu |
Medium |
2020-01-10 |
| Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image |
Violation of Secure Design Principles |
seeu |
Medium |
2020-01-10 |
| Github information leaked |
Information Disclosure |
farmsec_alice |
High |
2019-09-25 |
| SSRF In Get Video Contents |
Server-Side Request Forgery (SSRF) |
artemis233 |
Medium |
2019-08-19 |
| Remote Code Execution on www.semrush.com/my_reports on Logo upload |
Command Injection - Generic |
fransrosen |
Critical |
2019-06-24 |
| Improper authentication on registration |
Improper Authentication - Generic |
lezibintlgent |
Medium |
2018-08-24 |
| Post Based XSS On Upload Via CK Editor [semrush.com] |
Cross-site Scripting (XSS) - Reflected |
apapedulimu |
Low |
2018-08-17 |
| Password reset token leakage via referer |
Violation of Secure Design Principles |
ethical_hacker30121996 |
Low |
2018-08-14 |
| Error Page Content Spoofing or Text Injection |
Violation of Secure Design Principles |
asad_anwar |
Low |
2018-06-29 |
| XSS on redirection page( Bypassed) |
Cross-site Scripting (XSS) - Reflected |
kunal94 |
Low |
2018-06-13 |
| [oauth token leak] at oauth.semrush.com |
Improper Authentication - Generic |
nikitastupin |
High |
2018-04-17 |
| CORS (Cross-Origin Resource Sharing) |
Improper Authentication - Generic |
asad_anwar |
Low |
2018-03-20 |
| Email Spoofing |
Violation of Secure Design Principles |
protector47 |
Medium |
2018-03-13 |
| SSLv3 Poodle Attack on Ip Of semrush |
Violation of Secure Design Principles |
h3r0es |
Low |
2018-03-13 |
| Broken Authentication: A project addition request can be used multiple time for different users |
Key Exchange without Entity Authentication |
walterhwhite |
High |
2018-03-13 |
| clickjacking to Semrush auth login |
UI Redressing (Clickjacking) |
karrrtik |
None |
2018-03-13 |
| XXE in Site Audit function exposing file and directory contents |
XML External Entities (XXE) |
achapman |
Critical |
2018-03-13 |
| Cross-origin resource sharing misconfig |
Improper Authentication - Generic |
asad_anwar |
Low |
2018-03-13 |
| Security misconfiguration "weak passwords". |
Violation of Secure Design Principles |
whitehatmmalam |
Medium |
2018-03-13 |
| Insecure Direct Object Reference on API without API key |
None supplied |
scraps |
High |
2018-03-13 |
| Single Sing On - Clickjacking |
UI Redressing (Clickjacking) |
r0p3 |
Low |
2018-02-21 |
| Reflected XSS using Header Injection |
Cross-site Scripting (XSS) - Reflected |
inferno- |
Low |
2018-01-18 |
| Cross-origin resource sharing |
None supplied |
sureshbudharapu |
High |
2018-01-11 |
| Following links are vulnerable to clickjacking |
UI Redressing (Clickjacking) |
karma1 |
Low |
2018-01-11 |
| subdomain takeover at news-static.semrush.com |
None supplied |
0ways |
High |
2018-01-10 |
| Cross-origin resource sharing misconfig | steal user information |
None supplied |
bughunterboy |
Medium |
2017-12-17 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles