| Invalid |
Improper Access Control - Generic |
pashaaaaaaaa |
Low |
2025-08-19 |
| Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize |
Violation of Secure Design Principles |
zeesozee |
Medium |
2025-08-05 |
| Unauthorized Disclosure of Private Emails via WakaTime Private Leaderboards |
Information Disclosure |
ctrl_cipher |
Medium |
2025-08-03 |
| Not a Vuln: Race Condition Allows Creation of Multiple Organizations with the Same Name |
Business Logic Errors |
ctrl_cipher |
None |
2025-07-14 |
| user api key leaked |
Information Disclosure |
atasec |
None |
2025-05-13 |
| Session Replay Attack Allows Authentication Bypass via Captured Login Responses Allowing Bypass of 429 Too many attempts for Multiple Failed Logins |
Improper Authentication - Generic |
ctrl_cipher |
High |
2025-05-01 |
| Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint |
Improper Access Control - Generic |
ctrl_cipher |
Low |
2025-04-29 |
| Leaked credentials ( emails and passwords , etc...) |
Information Disclosure |
silenz404 |
None |
2025-04-16 |
| Login Information and Credentials Have Been Leaked on wakatime.com |
Information Disclosure |
parthabishwas |
None |
2025-04-13 |
| User Email Disclosure via ID-Based Invitation |
Information Disclosure |
m_kamal1 |
Medium |
2025-02-22 |
| IDOR to view order information of users and personal information |
Insecure Direct Object Reference (IDOR) |
hasn0x |
No rating |
2024-06-02 |
| Waketime Payment Gateway Vulnerability |
Missing Encryption of Sensitive Data |
normal-guy |
High |
2023-08-05 |
| HTML - injection |
None supplied |
b6bfe1fb5d9fa76d75aeb40 |
No rating |
2021-10-12 |
| Private leaderboard owner email disclosure when sending invites |
Information Disclosure |
hy76t56f565 |
No rating |
2020-08-29 |
| Rate Limit too lenient for endpoint sending emails |
Weak Password Recovery Mechanism for Forgotten Password |
harshita174 |
None |
2020-08-19 |
| [wakatime.com] HTML Injection github-btn.html |
Cross-site Scripting (XSS) - DOM |
bobrov |
Low |
2018-10-19 |
| SSH backdated version open port |
Brute Force |
noob-walid |
None |
2017-11-23 |
| Using an outdated version of OpenSSH on db01.wakatime.com |
Information Disclosure |
silv3rpoision |
Low |
2017-10-29 |
| Can link to websites from profile |
Improper Authentication - Generic |
flex0geek |
Low |
2017-10-07 |
| password token validation |
Improper Authentication - Generic |
flex0geek |
Low |
2017-10-07 |
| Validation of Password reset tokens |
Violation of Secure Design Principles |
saikiran-10097 |
Low |
2017-10-01 |
| Users with member privilege are able to see emails and membership information of other users |
Information Disclosure |
hackedbrain |
Medium |
2017-09-26 |
| Logout CSRF |
Cross-Site Request Forgery (CSRF) |
caesar302 |
Low |
2017-08-29 |
| [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector] |
Privilege Escalation |
axolotl |
Medium |
2017-08-10 |
| [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge |
Privilege Escalation |
axolotl |
Medium |
2017-08-10 |
| Impersonation of Wakatime user using Invitation functionality. |
Violation of Secure Design Principles |
asaxena2190 |
No rating |
2017-08-06 |
| Bypassing Access control, changing owner's name in a private leaderboard |
Improper Access Control - Generic |
tikoo_sahil |
Medium |
2017-07-31 |
| Failure to check password history |
Weak Password Recovery Mechanism for Forgotten Password |
c0d3fire |
Low |
2017-07-30 |
| Unsafe Inline and Eval CSP Usage |
Violation of Secure Design Principles |
mr_r3boot |
Low |
2017-07-24 |
| https://wakatime.com/ website CSP "script-src" includes "unsafe-inline" |
Violation of Secure Design Principles |
silv3rpoision |
Low |
2017-07-24 |
| Password token validation in https://wakatime.com/ |
Improper Authentication - Generic |
silv3rpoision |
Low |
2017-07-24 |
| Password reset links should expire after being used, instead of at specific time |
Improper Authentication - Generic |
silv3rpoision |
Medium |
2017-07-23 |
| Add arbitrary content to Password Reset Email |
Code Injection |
footstep |
No rating |
2017-07-20 |
| No rate limit on creating private leaderboards. |
None supplied |
3thic4l |
No rating |
2017-07-18 |
| by pass rate limit exceed |
Improper Access Control - Generic |
abhiram |
No rating |
2017-07-10 |
| Session Duplication due to Broken Access Control |
Improper Access Control - Generic |
anurag98 |
High |
2017-07-10 |
| Blocking users to sign up on the site |
Violation of Secure Design Principles |
saikiran-10097 |
None |
2017-07-08 |
| Password Policy Issue |
Improper Authentication - Generic |
gnost |
Low |
2017-07-06 |
| Running 2 accounts with a single email |
Business Logic Errors |
atruba |
No rating |
2017-07-06 |
| UI Redressing on Embedded Charts |
UI Redressing (Clickjacking) |
mr_r3boot |
Low |
2017-07-05 |
| Clickjacking on authorized page https://wakatime.com/share/embed |
UI Redressing (Clickjacking) |
silv3rpoision |
Low |
2017-07-05 |
| Missing filteration of meta characters in all full name field on wakatime.com |
Violation of Secure Design Principles |
silv3rpoision |
Low |
2017-07-04 |
| Session not expired on logout |
Improper Authentication - Generic |
ronygigi |
No rating |
2017-07-03 |
| No rate limiting for confirmation email, can spam anyone with confirmation emails |
Violation of Secure Design Principles |
pratyushjanghel |
No rating |
2017-07-03 |
| No rate limit when creating new goals [https://wakatime.com/goals] |
Violation of Secure Design Principles |
diti |
No rating |
2017-07-03 |
| JSON CSRF on POST Heartbeats API |
Cross-Site Request Forgery (CSRF) |
sp1d3rs |
Medium |
2017-07-03 |
| IDOR create accounts and verify them with original account email |
Insecure Direct Object Reference (IDOR) |
b3nac |
Low |
2017-07-03 |
| No redirect uri for Twitter Oath resulting in token leak |
Improper Authentication - Generic |
b3nac |
Low |
2017-07-03 |
| No notificatoin sent on email after account deletion. |
Violation of Secure Design Principles |
silv3rpoision |
Low |
2017-07-03 |
| Two email addresses can access the same account |
Violation of Secure Design Principles |
streaak2 |
No rating |
2017-07-03 |
| Lack of Password Confirmation When Changing Email |
Violation of Secure Design Principles |
pratyushjanghel |
No rating |
2017-07-03 |
| Forgot password link doesn't expire after used, only after some hours |
Weak Password Recovery Mechanism for Forgotten Password |
mohammad_obaid |
Low |
2017-07-03 |
| Missing Account Deletion Notification |
None supplied |
pavanw3b |
No rating |
2017-07-03 |
| [https://wakatime.com/reset_password/] Leaking password reset token via referrer |
Information Disclosure |
prateek_0490 |
No rating |
2017-07-03 |
| Sensitive Cookie Without 'HttpOnly' Flag |
None supplied |
ninja_778899 |
None |
2017-07-03 |
| Email Spoofing Via /api/v1/users/reset_password |
None supplied |
leet-boy |
No rating |
2017-07-02 |
| Login page password - guessing attack |
Brute Force |
paxtammy |
Low |
2017-07-02 |
| Session Not Expired On Logout |
Improper Authentication - Generic |
pratyushjanghel |
No rating |
2017-07-01 |
| Missing SPF Flags |
Violation of Secure Design Principles |
mr_r3boot |
Low |
2017-07-01 |
| Mailgun misconfiguration |
Privilege Escalation |
gaurang |
No rating |
2017-07-01 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles