HackerOne Report Search
Explore 10,000+ publicly disclosed vulnerability reports from HackerOne
| ID | Title | Severity | Disclosed | Actions |
|---|---|---|---|---|
3824303 |
UAF read in mev_pollset_diff() trace path after curl_easy_pause() in socket callback | Low | 2026-06-28 15:22:06 | |
3823985 |
Use-after-free in `mev_forget_socket` when `curl_easy_pause()` is called from a `CURL_POLL_REMOVE` socket callback (incomplete fix of CVE-2026-9080) | Low | 2026-06-28 06:33:17 | |
3826199 |
mbedTLS / wolfSSL / rustls backends silently skip hostname verification when CURLOPT_SSL_VERIFYPEER=0 | Medium | 2026-06-26 14:34:52 | |
3823932 |
CURLOPT_HAPROXY_CLIENT_IP lacks input validation, enabling HAProxy PROXY protocol injection | Medium | 2026-06-26 14:34:39 | |
3781492 |
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting | High | 2026-06-25 13:43:50 | |
3783738 |
XML‑RPC login leak exposes valid session ID enabling unauthorized API access | Medium | 2026-06-25 13:43:14 | |
3780806 |
Reflected XSS via unsanitised refresh parameter in zone invocation tag | Medium | 2026-06-25 13:41:12 | |
3780854 |
PHP code injection in delivery-limitation `logical` validation bypass | High | 2026-06-25 13:40:57 | |
3781311 |
Stored XSS in maintenance tools via unescaped entity names | Medium | 2026-06-25 13:40:45 | |
3781691 |
CSRF in zone‑include.php allows unauthorized banner and campaign linking | Medium | 2026-06-25 13:40:31 |
Page 1