Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: nextcloud
Non-admin users can reset app allowlist to the default
Nextcloud Business Logic Errors (CWE-840)CVE-2024-22401
Medium
2024-01-18
Bruteforce protection in password verification can be bypassed
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-49792
Medium
2024-01-17
Bypass password confirmation via Context-dependent access control (CDCA)
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-49791
Medium
2024-01-17
Error when editing a calendar appointment returns stacktrace and query
Nextcloud Information Disclosure (CWE-200)CVE-2023-48308
Medium
2024-01-17
DNS pin middleware can be tricked into DNS rebinding allowing SSRF
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-48306
Medium
2024-01-01
Self XSS when pasting HTML into Text app with Ctrl+Shift+V
Nextcloud Cross-site Scripting (XSS) - DOM (CWE-79)CVE-2023-48302
Medium
2023-12-21
user_ldap app logs user passwords in the log file on level debug
Nextcloud Cleartext Storage of Sensitive Information (CWE-312)CVE-2023-48305
Medium
2023-11-21
Enabling Birthday Contact to any user
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2023-48304
Medium
2023-11-21
OAuth2 client_secret stored in plain text in the database
Nextcloud Cleartext Storage in a File or on Disk (CWE-313)CVE-2023-45151
Medium
2023-11-15
Password of talk conversations can be bruteforced
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-45149
Medium
2023-11-12
Memcached used as RateLimiter backend is no-op
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-45148
Medium
2023-11-12
Responsive Server-side Request Forgery (SSRF)
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-45660
Medium
2023-10-19
Inviting excessive long email addresses to a calendar event makes the server unresponsive
Nextcloud Uncontrolled Resource Consumption (CWE-400)CVE-2023-45150
Medium
2023-10-16
Dos in Form Submission at https://nextcloud.com/instant-trial/
Nextcloud Uncontrolled Resource Consumption (CWE-400)
Medium
2023-09-26
Permissions not respected when copying entire group folders
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39952
Medium
2023-09-09
Issuer not verified from obtained token in user_oidc
Nextcloud CVE-2023-39953
Medium
2023-08-23
Path traversal allows tricking the Talk Android app into writing files into it's root directory
Nextcloud Path Traversal (CWE-22)CVE-2023-39957
Medium
2023-08-14
Improper restriction of excessive authentication attempts on WebDAV endpoint
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-39960
Medium
2023-08-10
Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39962
Medium
2023-08-10
Missing brute force protection on OAuth2 API controller
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-39958
Medium
2023-08-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895