hackerone.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | HackerOne: LLM01: Invisible Prompt InjectionAI | Program: HackerOne Severity: medium Weakness: LLM01: Prompt Injection ## Description Hey team, Hai is vulnerable to invisible prompt injection via Unicode tag characters. ## Reproduction steps 1. ... |
| 2026-04-22 2026 | Internet Bug Bounty: Argo CD CSRF leads to Kubernetes cluster compromiseCSRF | Program: Internet Bug Bounty Severity: high Weakness: Cross-Site Request Forgery (CSRF) GHSA: https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg It's been publicly known for... |
| 2026-04-19 2026 | Bykea: IDOR on In-App Hardcoded Zombie — HackerOneIDOR | Bykea: IDOR on In-App Hardcoded Zombie — HackerOne |
| 2026-04-19 2026 | IDOR Vulnerability — HackerOne Report 2633771IDOR | IDOR Vulnerability — HackerOne Report 2633771 |
| 2026-04-17 2026 | HackerOne #1210502: Jitsi Authentication Bypass (JWT)JWT | HackerOne #1210502: Jitsi Authentication Bypass (JWT) |
| 2026-04-17 2026 | HackerOne #2472798: Newspack Extended Access JWT bypassJWT | HackerOne #2472798: Newspack Extended Access JWT bypass |
| 2026-04-17 2026 | How an IDOR Vulnerability Led to User Profile Modification (HackerOne)IDOR | Writeup detailing an Insecure Direct Object Reference (IDOR) vulnerability found on mtnmobad.mtnbusiness.com.ng, which allowed remote users to modify account information including phone numbers. The vulnerability arose from the improper validation of account identifiers and exposed user data in HTTP requests and responses. The report highlights how easily identifiable parameters, such as short numerical IDs and email addresses, can be exploited by attackers using automated tools for unauthorized access and account takeover, emphasizing the need for robust access controls and cryptographically strong identifiers. |
| 2026-04-17 2026 | HackerOne Report #435066: SQL injection in GraphQL endpointGraphQL | HackerOne Report #435066: SQL injection in GraphQL endpoint |
| 2026-04-17 2026 | HackerOne Report #812064: SAML authentication bypass (Rocket.Chat)AuthN | HackerOne Report #812064: SAML authentication bypass (Rocket.Chat) |
| 2026-04-17 2026 | HackerOne Report #209008: Authentication Bypass - AutomatticAuthN | HackerOne Report #209008: Authentication Bypass - Automattic |
| 2026-04-17 2026 | HackerOne Report #423541: H1514 Server Side Template InjectionSSTI | HackerOne Report #423541: H1514 Server Side Template Injection |
| 2026-04-11 2026 | HackerOne #164224: SSTISSTI | HackerOne #164224: SSTI |
| 2026-04-11 2026 | HackerOne: Trint insecure client-side JWT generationJWT | HackerOne: Trint insecure client-side JWT generation |
| 2026-04-11 2026 | HackerOne: Linktree account takeover via improper JWT validationJWT | HackerOne: Linktree account takeover via improper JWT validation |
| 2026-04-11 2026 | HackerOne: Critical vulnerability in JWE SpecificationJWT | HackerOne: Critical vulnerability in JWE Specification |
| 2026-04-11 2026 | HackerOne: Argo CD JWT audience claim not verifiedJWT | HackerOne: Argo CD JWT audience claim not verified |
| 2026-04-11 2026 | Remitly: 0-Click Account Takeover (HackerOne)AuthN | Remitly: 0-Click Account Takeover (HackerOne) |
| 2026-04-10 2026 | Semrush OAuth redirect_uri bypass via IDN homograph — HackerOne #861940AuthN | Semrush OAuth redirect_uri bypass via IDN homograph — HackerOne #861940 |
| 2026-04-10 2026 | Slack OAuth2 redirect_uri bypass — HackerOne #2575AuthN | Slack OAuth2 redirect_uri bypass — HackerOne #2575 |
| 2026-04-10 2026 | HackerOne: SSRF in Exchange Leads to ROOT (Shopify)SSRF | HackerOne: SSRF in Exchange Leads to ROOT (Shopify) |
| 2026-04-10 2026 | HackerOne: SSRF Mitigation Bypass Using DNS Rebind AttackSSRF | HackerOne: SSRF Mitigation Bypass Using DNS Rebind Attack |
| 2026-04-10 2026 | HackerOne: SSRF in Search.gov via URL ParameterSSRF | HackerOne: SSRF in Search.gov via URL Parameter |
| 2026-04-10 2026 | HackerOne: SSRF via Analytics ReportsSSRF | HackerOne: SSRF via Analytics Reports |
| 2026-04-10 2026 | HackerOne Report: IDOR Allows ViewingIDOR | HackerOne Report: IDOR Allows Viewing |
| 2026-04-10 2026 | XXE Complete Guide: Impact, Examples, and PreventionXXE | Reference detailing XML External Entity (XXE) vulnerabilities, their impact including denial of service, data exposure, and server-side request forgery (SSRF), and mitigation strategies like using Web Application Firewalls (WAFs) and application server instrumentation. It provides examples of resource exhaustion, data extraction using `file://` URIs, SSRF attacks targeting internal systems, and blind XXE for out-of-band data exfiltration. |
| 2026-04-10 2026 | How a GraphQL Bug Resulted in Authentication BypassGraphQL | Library detailing an authentication bypass vulnerability in an e-commerce application's GraphQL API. The article explores how attackers can abuse GraphQL introspection and mutations, such as `Register` and `CreateAdminUser`, to gain unauthorized administrative access. It highlights the importance of proper access control for GraphQL endpoints and discusses techniques for discovering these flaws, including schema introspection and authorization checks, as explained by researcher J. Francisco Bolivar. |
| 2026-04-10 2026 | How to Find XSS Vulnerabilities: Practical Security GuideXSS | Library detailing Cross-Site Scripting (XSS) vulnerabilities, covering reflected, stored, and DOM-based types. It provides practical techniques for manual and automated discovery, recommending tools like Dalfox, XSStrike, and xsshunter, alongside payload resources such as PayloadsAllTheThings and HackTricks. Specific examples include blind XSS in admin dashboards and stored XSS in GitLab wikis, emphasizing the use of polyglots and callback platforms for effective exploitation. |
| 2026-04-06 2026 | HackerOne HacktivityBug Bounty | HackerOne Hacktivity |
| 2026-04-03 2026 | How a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOneXSS | Writeup detailing how a reflected XSS vulnerability on yelp.com, stemming from unescaped cookie values and a cookie parsing issue, enabled account takeovers. The vulnerability allowed for persistent XSS payloads, simulated credential theft via a keylogger, and facilitated linking external accounts. Remediation involved validating and sanitizing user input, and removing the ability to set cookies via query parameters. |
| 2026-04-03 2026 | How To Find Broken Access Control Vulnerabilities in the Wild | HackerOneAuthZ | Guide to finding Broken Access Control (BAC) vulnerabilities, explaining concepts like Insecure Direct Object Reference (IDOR) and covering identifier types such as numeric, user-chosen, natural keys, composite keys, UUIDs, and hashes. It details the permissions mapping technique for identifying BAC flaws by creating lists of user roles and application actions, and highlights the prevalence of BAC bugs as the OWASP Top 1 vulnerability. |
| 2025-08-14 2025 | SSRF in https://couriers.indrive.com/api/file-storageSSRF | Program: inDrive Severity: high Weakness: Server-Side Request Forgery (SSRF) ## Summary: SSRF in ` url ` parameter in https://couriers.indrive.com/api/file-storage ## Steps To Reproduce: I will tr... |
| 2025-08-14 2025 | Full Read SSRF on Gitlab's Internal GrafanaSSRF | Program: GitLab Severity: critical Weakness: Server-Side Request Forgery (SSRF) Apparently, Grafana is bundled with Gitlab by default. So the grafana instance that is accessible via `/-/grafana/`is v... |
| 2023-02-14 2023 | How To: Server-Side Request Forgery (SSRF)SSRF | Guide to Server-Side Request Forgery (SSRF) vulnerabilities, detailing how attackers can control server-initiated requests. The entry explains the impact of SSRF, testing methodologies using tools like netcat, and techniques to bypass common mitigations such as IP blacklisting and whitelisting, including exploiting HTTP redirects and DNS records. It highlights common attack vectors like webhooks and PDF generators. |