Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: nextcloud
View-only guests could see deleted Collectives pages in the trashbin
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2026-05-08
Easy way to create a new Deck board without permission
Nextcloud Improper Access Control - Generic (CWE-284)
Unknown
2026-01-16
Can download files on Android app without permission
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2026-01-16
Users can modify tags on files that do not belong to them
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2025-66547
Medium
2026-01-04
Deck app allowed user with "Can share" permission to modify permissions of other non-owners
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2025-66557
Medium
2025-12-05
Blind SSRF Vulnerability in Appstore Release Upload Form
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2025-01-14
Nextcloud mail does not respect download permissions in shares
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-52509
Low
2024-12-15
User can copy locked folders and gain access to the contents
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-52514
Medium
2024-11-16
Re-emergence of Security Vulnerability in Nextcloud Version 28 Previously Fixed in 25.0.4
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37884
Medium
2024-07-14
Can reshare read&share only folder with more permissions
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37882
High
2024-07-14
Missing permission check when removing a photo from an album
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37314
Low
2024-07-14
see card comments after remove shared board
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37883
Medium
2024-06-18
Read-only users can restore old versions
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37315
Medium
2024-06-14
ID4me feature of OpenID connect app available even when disabled
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37312
Medium
2024-05-30
Can download files by zipping the folder
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-22404
Medium
2024-02-17
Bypass password confirmation via Context-dependent access control (CDCA)
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-49791
Medium
2024-01-17
Admins can change authentication details of user configured external storage
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-48303
Low
2023-12-21
Delete external storage of any user
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-48239
High
2023-11-21
Existance of calendars and addressbooks can be checked by unauthenticated users
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39959
Low
2023-09-26
Permissions not respected when copying entire group folders
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39952
Medium
2023-09-09
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895