目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,219
关联 CVE
1,854
参与项目数
342
近 7 天新增
14
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Private circle can be added to another circle via API despite visibility restriction
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2026-05-08
Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2026-05-08
View-only guests could see deleted Collectives pages in the trashbin
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2026-05-08
Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption
PortSwigger Web Security
Low
2026-05-05
Potential Resource Leak in tool_parsecfg.c at line 279 during fileerror
curl Uncontrolled Resource Consumption (CWE-400)
Low
2026-05-05
CVE-2026-6276: stale custom cookie host causes cookie leak
curl Exposure of Data Element to Wrong Session (CWE-488)CVE-2026-6276
Low
2026-04-29
CVE-2026-4873: connection reuse ignores TLS requirement
curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2026-4873
Low
2026-04-29
CVE-2026-5773: wrong reuse of SMB connection
curl CVE-2026-5773
Low
2026-04-29
Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org
Mozilla Improper Input Validation (CWE-20)
Low
2026-04-27
Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net
pixiv Improper Access Control - Generic (CWE-284)
Low
2026-04-27
Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs
Ruby on Rails
Low
2026-04-18
libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle
curl Information Exposure Through Sent Data (CWE-201)
Low
2026-04-17
Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure
Basecamp Improper Access Control - Generic (CWE-284)
Low
2026-04-14
Brave Shields Domain Reordering Leads to Origin Confusion
Brave Software Violation of Secure Design Principles (CWE-657)
Low
2026-04-13
User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon
Mozilla Improper Access Control - Generic (CWE-284)
Low
2026-04-10
Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl
curl Improper Authorization (CWE-285)
Low
2026-04-07
Cookie attribute TAB injection regression in Set-Cookie parsing
curl Improper Input Validation (CWE-20)CVE-2022-35252
Low
2026-04-03
Permission Model Bypass in realpathSync.native Allows File Existence Disclosure
Node.js Information Disclosure (CWE-200)CVE-2026-21715
Low
2026-03-30
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown
Node.js Improper Access Control - Generic (CWE-284)CVE-2026-21716
Low
2026-03-30
Password Strength Policy Bypass via Server-Side Validation Flaw
Tucows (VDP) Business Logic Errors (CWE-840)
Low
2026-03-27
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895