Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: curl
CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap
curl Information Disclosure (CWE-200)
Low
2026-03-10
LM Challenge-Response Hash Always Sent in SMB Authentication
curl Reversible One-Way Hash (CWE-328)
Medium
2026-03-09
In curl's SASL OAUTHBEARER authentication, including the SOH character (0x01) in the username corrupts the message structure.
curl Improper Neutralization of Value Delimiters (CWE-142)
Medium
2026-03-08
SSTI leads to Command injection
curl Command Injection - Generic (CWE-77)
None
2026-03-04
Use after free in hyperfifo example
curl Use After Free (CWE-416)
None
2026-03-03
Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow
curl Classic Buffer Overflow (CWE-120)
Medium
2026-02-26
RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload)
curl Improper Check or Handling of Exceptional Conditions (CWE-703)
None
2026-02-26
Able to bypass HSTS using trailing dot
curl Missing Required Cryptographic Step (CWE-325)
Medium
2026-02-26
Curl Telnet Handler Buffer Overflow
curl Buffer Underflow (CWE-124)
None
2026-02-26
MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length
curl
Low
2026-02-05
wcurl Argument Injection via Unquoted Variable
curl Command Injection - Generic (CWE-77)
Medium
2026-01-26
Integer Underflow in src/var.c
curl Integer Underflow (CWE-191)
Medium
2026-01-26
Cross‑origin cookies leak and injection risk when using a custom Host header
curl Insufficiently Protected Credentials (CWE-522)
Unknown
2026-01-20
SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends
curl Missing Required Cryptographic Step (CWE-325)
Medium
2026-01-20
Cookie Replacement Use-After-Free Vulnerability
curl Use After Free (CWE-416)
None
2026-01-19
Cookie Max-Age Integer Overflow Vulnerability
curl Integer Overflow (CWE-190)
Critical
2026-01-19
libcurl: Improper Authentication State Management on Cross-Protocol Redirects
curl Insufficiently Protected Credentials (CWE-522)CVE-2025-14524CVE-2022-27774
Low
2026-01-17
IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing
curl Improper Input Validation (CWE-20)
Low
2026-01-14
Integer-underflow leads to heap over-read in TFTP implementation
curl Buffer Over-read (CWE-126)
Low
2026-01-14
Digest Authentication Header Injection
curl HTTP Response Splitting (CWE-113)
Low
2026-01-14
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895