| Shopify | mruby-engine: UAF in MRubyEngine#initialize enables local RCE | hackerone.com/reports/3679660 | 3 | $0.0 | |
| Node.js | Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS | hackerone.com/reports/3556769 | 18 | $0.0 | |
| Rocket.Chat | RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs | hackerone.com/reports/3589551 | 21 | $0.0 | Improper Access Control - Generic |
| Rocket.Chat | Complete authentication bypass to admin permissions | hackerone.com/reports/3564655 | 46 | $0.0 | SQL Injection |
| Nextcloud | SVG filter primitives bypass remote image blocking, enabling email tracking without consent. | hackerone.com/reports/3486747 | 42 | $0.0 | Privacy Violation |
| Nextcloud | position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays. | hackerone.com/reports/3590586 | 37 | $0.0 | Resource Injection |
| Nextcloud | Unquoted body background attribute enables CSS injection that bypasses remote image blocking | hackerone.com/reports/3590583 | 29 | $0.0 | Resource Injection |
| Nextcloud | SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent | hackerone.com/reports/3590576 | 23 | $0.0 | Remote File Inclusion |
| curl | libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms | hackerone.com/reports/3680680 | 25 | $0.0 | Information Disclosure |
| curl | Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host | hackerone.com/reports/3680038 | 12 | $0.0 | Insufficiently Protected Credentials |
| Nextcloud | Stored XSS in attachment-display exploitable through SameSite | hackerone.com/reports/3594137 | 32 | $0.0 | Cross-site Scripting (XSS) - Stored |
| curl | libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay | hackerone.com/reports/3680234 | 12 | $0.0 | Exposure of Data Element to Wrong Session |
| Ruby on Rails | Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs | hackerone.com/reports/3601655 | 20 | $0.0 | |
| curl | libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle | hackerone.com/reports/3673277 | 21 | $0.0 | Information Exposure Through Sent Data |
| HackerOne | Residual Malicious Payloads on HackerOne after Vulnerability Fixes | hackerone.com/reports/3168691 | 56 | $0.0 | Improper Input Validation |