|
A Critical Bug Let Me Become an Admin on an External Bug Bounty Program |
Privilege Escalation |
Ln0rag |
- |
Sep. 23, 2025 |
|
Bypass Password Confirmation on Change Email |
Security Misconfiguration |
Karim Hikal |
- |
Sep. 30, 2025 |
|
How reading documentation led to a €1500 bounty |
Privilege Escalation |
0xBruno |
€1500 |
Oct. 03, 2025 |
|
How I Earned $3,300 in Bug Bounties Using ASN Reconnaissance |
Security Misconfiguration |
Ahmadzuriqi |
$3300 |
Sep. 22, 2025 |
|
Stealing JWT Tokens via OAuth redirect_uri Manipulation: A Critical Vulnerability |
Oauth |
Shah kaif |
- |
Oct. 03, 2025 |
|
Escalating an HTML Injection into 1-Click Account Takeover |
Account Takeover |
Marx Chryz Del Mundo |
- |
Sep. 27, 2025 |
|
Authentication bypass via sequential user IDs in Microsoft SSO integration | Critical Vulnerability |
Security Misconfiguration |
Irsyad Muhammad Fawwaz |
- |
Sep. 29, 2025 |
|
Privilege Escalation via IDOR Allows Unauthorized User Injection |
Privilege Escalation |
Omer Mohsen |
- |
Sep. 29, 2025 |
|
Mobile Hacking — How I Cracked a Banking App’s PIN in 10 Seconds ($5000 Bug) |
2FA Bypass |
Aman Sharma |
$5000 |
Aug. 11, 2025 |
|
How I got RCE on redbull from recon (CVE-2025–30406) |
RCE |
ABDELKARIM MOUCHQUELITA |
- |
Jul. 31, 2025 |
|
[2,500$ Bug Bounty Write-Up] Remote Code Execution (RCE) via unclaimed Node package |
RCE |
Fuleki Ioan |
$2500 |
Sep. 18, 2024 |
|
Story of $$$$ Bounty: 80k+ Users Data Exposed via Signup Flaw |
INFO Disclosure |
V3D |
- |
Oct. 04, 2025 |
|
How a Password Change Feature Led to Full Account Takeover (CVSS 8.3) |
IDOR |
Onurcan Genç |
- |
Oct. 05, 2025 |
|
🛠️ Bug Bounty Methodology: From Recon to Exploitation in 12 Tactical Steps |
Security Misconfiguration |
Naresh Singh |
- |
Oct. 05, 2025 |
|
Bug Bounty: Bypass — Forgot Password Verification |
2FA Bypass |
Defidev |
- |
Sep. 16, 2025 |
|
One Number, One Change: How I Took Over an Account Using Local Storage |
Account Takeover |
eSecForte Technologies |
- |
Sep. 17, 2025 |
|
Cross-Tenant Access Exploit in Microsoft Entra ID: Breaking Governance with a simple trick |
CVE |
Bashir Mohamed (BlackPanther87) |
$20000 |
Sep. 17, 2025 |
|
Easiest Account Lockout Bypass 🔓 |
Security Misconfiguration |
Manav |
- |
Sep. 17, 2025 |
|
🕳️ The Broken Link Jackpot: How a 404 Can Become a Security Goldmine! |
Security Misconfiguration |
NadSec |
- |
Sep. 17, 2025 |
|
Web Cache Poisoning to Exploit a DOM Vulnerability via a Cache With Strict Cacheability Criteria |
Cache Poisoning |
Bash Overflow |
- |
Sep. 17, 2025 |
|
Cross-Tenant Payment Method Manipulation via IDOR |
Payment Bypass |
0xBruno |
€1000 |
Sep. 18, 2025 |
|
CVE-2025–55911 — ClipBucket 5.5.2 Build #90 — SSRF via upload/actions/file_downloader.php |
CVE |
Mukundsinh Solanki |
- |
Sep. 18, 2025 |
|
CVE-2025–55912 — ClipBucket ≤ 5.5.0 — Unauthenticated Arbitrary File Upload → RCE |
CVE |
Mukundsinh Solanki |
- |
Sep. 18, 2025 |
|
Who Needs Admin Rights When You’ve Got Bugs? |
Privilege Escalation |
#$ubh@nk@r |
- |
Sep. 19, 2025 |
|
💥 $5,000 for this RCE on Netflix: PHP upload disguised as GIF |
RCE |
Gorka |
$5000 |
Sep. 19, 2025 |
|
Stored HTML Injection in Emails |
Security Misconfiguration |
Sarv3shxploit |
- |
Sep. 19, 2025 |
|
Advanced OAuth Secrets Lead To Account Takeover(ATO)🔥 |
Account Takeover |
Mado |
- |
Sep. 19, 2025 |
|
CVE-2025–57644 — Remote Code Execution & SSRF in Accela |
RCE |
Anvar |
- |
Sep. 19, 2025 |
|
From Query Param to Cookie Poisoning: How WAFs Fail at Security |
WAF Bypass |
Sarthak Saxena |
- |
Sep. 19, 2025 |
|
How I Uncovered an IDOR That Exposed Other Employee’s Personal Data |
IDOR |
Hari Kishore |
- |
Sep. 20, 2025 |
|
7 AI + LLM Project Ideas Every Security Professional Should Try in 2025 |
LLM |
Paritosh |
- |
Sep. 20, 2025 |
|
Hacking API’s Series(12/36) — OAuth Vulnerabilities: Common Exploits and How to Prevent Them |
Security Misconfiguration |
Vishal Sharma |
N/A |
Sep. 21, 2025 |
|
Stored XSS in Email Notifications on Insightly CRM |
XSS |
Regan Temudo |
N/A |
Sep. 20, 2025 |
|
Accessing Employee GitHub SSH Key |
INFO Disclosure |
SIDDHANT SHUKLA |
N/A |
Aug. 24, 2025 |
|
elections.k8s.io uses weak session secret key, may place elections at risk |
Security Misconfiguration |
ian |
$250 |
Sep. 19, 2025 |
|
Stored XSS in Email Notifcation |
XSS |
khaledx |
N/A |
Sep. 19, 2025 |
|
CVE-2023–29489 in Much Marcle Parish Council GOV.UK Website: A Cross-Site Scripting Vulnerability |
CVE |
Hassan Ali Arshad |
N/A |
Sep. 20, 2025 |
|
Kerentanan Information Sensitive/disclosure (git exposure) pada Website Mabes TNI |
INFO Disclosure |
alfarisyx |
N/A |
Sep. 21, 2025 |
|
Logical 2FA / Email Verification Bypass via Pre-2FA JWT Acceptance |
2FA Bypass |
Mahmoud Gamal |
N/A |
Sep. 21, 2025 |
|
A Critical Zero-Day in Atlassian Jira Service Management Cloud: Password Reset Account Takeover |
CVE |
Mo Salah |
$10000 |
Sep. 01, 2025 |