Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: nextcloud
Self XSS when sending HTML as a comment in the Deck app
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2024-22213
None
2024-01-18
Contacts only sanitizes PHOTO svg if mime type is all lower case
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2023-33182
None
2023-06-24
XSS in Desktop Client in the notifications
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-39331
Low
2022-11-25
HTML Injection on "polls" app - comments section (possibly XSS)
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2021-03-31
xss on setup config page
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2021-02-14
XSS in desktop client via invalid server address on login form
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2020-8189
Medium
2020-08-17
Cross site scripting - XSRF Token
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2020-06-14
XSS in PDF Viewer
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2020-8155CVE-2018-5158
Low
2020-05-23
Self xss
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2020-04-05
DOMPurify 0.8.9 released
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2020-03-01
HTML injection with AutoComplete suggestions
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2018-3781CVE-2018-3780
None
2018-08-10
DOM XSS vulnerability in search dialogue (NC-SA-2017-007)
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2017-0890
Low
2017-06-07
Stored XSS in Gallery application (NC-SA-2017-010)
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2017-0893
Low
2017-06-06
Reflected XSS in U2F plugin by shipping the example endpoints
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
High
2017-03-22
xss for admin of https://newsletter.nextcloud.com
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-02-17
WordPress <= 4.6.1 Stored XSS Via Theme File
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-01-13
Bad content-type in response header when getting document can lead to html injection
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2017-01-12
Stored XSS on new Calling plugin (spreed)
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
High
2016-12-13
Reflected XSS in Gallery App
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2016-9466
Medium
2016-12-03
\OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2016-9465
Medium
2016-12-03
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895