A critical flash loan vulnerability in Fei Protocol's ETH/FEI Uniswap pool allocation mechanism allowed attackers to drain up to 60,000 ETH through price oracle manipulation combined with a bypass of the nonContract modifier using contract constructors. The bug was independently discovered by whitehat Alexander Schlindwein and Fei's security team, earning an $800,000 bounty.

Tokemak's liquidity controllers are vulnerable to token theft via pool ratio manipulation. An attacker with ADD_LIQUIDITY_ROLE can plant a malicious Uniswap/Sushi pair with an extreme token ratio, then trigger the deploy() function to cause the controller to deposit funds at that manipulated ratio, losing up to 100% of reserves through subsequent swaps exploiting the constant product formula.

O3 DeFi bridge aggregators are vulnerable to token theft through callproxy parameter impersonation in the exactInputSinglePToken function, allowing attackers to redirect victim-approved funds to attacker-controlled addresses. The vulnerability affects all O3 aggregators across supported chains but is mitigated if users set MAX approval rather than finite amounts.

A critical bug in Fringe.fi's lending protocol allows borrowers to withdraw collateral without accruing interest being updated, leaving the protocol in an undercollaterized state. The vulnerability occurs when withdrawing non-maximum amounts, as the accrual field remains stale and isn't counted against the borrower's health factor calculation, enabling attackers to drain the protocol's reserves.

A Salesforce API access token was exposed to users' browsers during file uploads on IKEA.com's customer support forms, allowing attackers to access unrestricted customer data via the Salesforce REST API. The token lacked proper permission scoping and revealed 465 object types accessible, including customer account names and phone numbers.

Unauthenticated RCE in Dell KACE K1000 via the /service/krashrpt.php endpoint exploiting inadequate input sanitization in older versions (6.3.113397) where basename() and escapeshellarg() protections were absent, allowing arbitrary command execution through unzip parameters and potential lateral movement to all managed endpoints.

A critical RCE vulnerability in Sucuri's server-side scanner was discovered where disabled SSL certificate verification (CURLOPT_SSL_VERIFYPEER=false) allowed a MiTM attacker to inject arbitrary PHP code execution on customer servers. The report also documents Sucuri's poor handling of the disclosure, including six months of silence, underpayment of the bounty, and dismissal of legitimate attack scenarios.

GitHub Desktop on macOS allowed remote code execution via a crafted x-github-client:// URI with a malicious filepath parameter that bypassed repository directory restrictions and enabled execution of arbitrary application bundles. The vulnerability exploited Electron's shell.openExternal() function converting file paths to file:// URLs, allowing attackers to execute malicious OSX apps cloned from attacker-controlled repositories.

Two vulnerabilities in Magento e-commerce CMS exploitable by low-privilege admin accounts: (1) Remote Code Execution via path traversal in product design layout XML combined with phtml file upload through custom options, and (2) Local File Read through path traversal in email template CSS directive processing.

A server-side template injection vulnerability in Handlebars template engine was discovered in the Shopify Return Magic app's email workflow feature, allowing remote code execution through prototype pollution and Object.prototype manipulation to bypass sandbox restrictions and execute arbitrary Node.js code.

A bug bounty hunter discovered unauthenticated Remote Code Execution via an HTTP PUT method on a staging web service running on a non-standard port, enabling file upload of a PHP web shell. The RCE was leveraged to gain a reverse shell, traverse the internal network using discovered zone transfer files, and achieve lateral movement to other systems using weak credentials embedded in system files.

A researcher discovered a sandbox escape vulnerability in HackerEarth's Theia IDE by leveraging the 'Task: Run selected text' command to gain terminal access, subsequently achieving RCE and exfiltration of AWS credentials and SSL certificates from the underlying ECS container through metadata service exploitation.

A creative blind SQL injection technique exploiting the LIMIT clause in PostgreSQL by converting extracted characters to ASCII values, which then control the number of returned database records—the count is then observed in the DOM and converted back to characters for data exfiltration.

A researcher discovered a critical code injection vulnerability in a custom JavaScript-based macro language (Banan++) through an unsafe eval() call in the Union() function, which allowed execution of arbitrary JavaScript on the server. By injecting fetch() calls through an API parameter, they exploited this to extract AWS credentials and achieve complete account compromise (20 S3 buckets and 80 EC2 instances).

A detailed technical writeup demonstrating how to abuse MySQL's LOAD DATA LOCAL INFILE feature by setting up a fake MySQL server that tricks clients into reading arbitrary files from their local machine. The author provides packet-level analysis, a working Python proof-of-concept exploit, and network traffic documentation showing the authentication bypass and file exfiltration mechanism.

Technical writeup on exploiting SQL injection in INSERT/UPDATE queries when commas are forbidden by application logic, using CASE WHEN statements with LIKE operators and CAST functions to perform time-based blind SQL injection without comma delimiters. Includes working payload and automated Python exploit script.

A combination of login CSRF and HTTP Referer header-based open redirect in Airbnb's OAuth flow allowed attackers to steal OAuth access tokens from identity providers (Facebook/Google) and achieve authentication bypass on both web and mobile applications. The attack exploited the fact that Airbnb's /oauth_callback endpoint used the unvalidated HTTP Referer header for post-login redirection, combined with the ability to request access tokens via URL fragments instead of parameters.

A multi-stage RCE vulnerability chain in DeskPro helpdesk software exploits insufficient access control on API endpoints to leak JWT secrets and enable admin authentication, followed by insecure deserialization in template editing to achieve remote code execution. The attack chain was demonstrated against Bitdefender's support portal.

Detailed walkthrough of exploiting blind SQL injection in Oculus' developer portal by bypassing multiple filters (no whitespace, no commas) using comment syntax and MySQL alternative function syntax, ultimately extracting admin session tokens and gaining administrative access.

Uber's SSO system was vulnerable to authentication bypass through a combination of subdomain takeover (dangling CloudFront CNAME on saostatic.uber.com) and session cookie theft via shared cookies across *.uber.com subdomains. An attacker could relay CSRF tokens and steal the _csid session cookie from authenticated users, then impersonate them across all Uber subdomains by injecting the stolen cookie into their own login flow.

A comprehensive writeup on discovering and exploiting a blind SQL injection vulnerability in Google BigQuery while bypassing Akamai's Kona WAF. The attacker used division-by-zero error-based techniques with STRPOS and LENGTH functions to extract database values without triggering WAF blocks on restricted keywords like UNION and SLEEP.

Comprehensive technical writeup documenting multiple race condition vulnerabilities discovered across major platforms (Facebook, Cobalt, Keybase, Mega, DigitalOcean) with detailed exploitation steps showing how concurrent requests can bypass security controls like email confirmation, coupon redemption limits, and invitation systems. Author provides methodology for identifying and exploiting race conditions in web applications with real-world examples and tool references.

A researcher discovered an SSRF vulnerability in Vimeo's API Playground by chaining path traversal in user-controlled URL variables with an open redirect to escape the api.vimeo.com domain, ultimately leveraging the Google Cloud metadata API to extract service account tokens with compute, logging, and storage scopes.

A complete SSRF-to-RCE exploit chain on AWS Elastic Beanstalk that leverages the EC2 metadata service to extract IAM credentials, then uses those credentials to upload a PHP web shell to an accessible S3 bucket for remote code execution. The attack demonstrates how weak IAM policies can enable escalation from SSRF to full system compromise.

A logic flaw in 2FA implementation across multiple platforms (Google, Microsoft, Instagram, Cloudflare) allows an attacker to maintain persistence after password recovery by exploiting session renewal in the 2FA page and leveraging the fact that disabled 2FA codes still validate, enabling account takeover without knowing the current password.

A detailed walkthrough of discovering a critical SQL injection vulnerability (CVE-2019-17602) in Zoho OpManager through white-box analysis by decompiling JAR files, analyzing web.xml servlet mappings, and tracing control flow to identify unsafe dynamic SQL query construction in the getAllMOs method. The vulnerability allows authenticated remote code execution via stacked queries and PostgreSQL UDF commands.

A detailed walkthrough of exploiting a blind SQL injection vulnerability in a JSON-RPC API by leveraging an IN() clause to infer boolean results through asset count variations, and bypassing WAF filters using Unicode escape sequences to extract database information.

A researcher discovered an SSRF vulnerability in Vimeo's file upload function by exploiting partial content transfer using HTTP Range headers. By manipulating redirect responses during the chunked file download process, they were able to retrieve sensitive Google Cloud metadata and API tokens.

A remote image upload feature allowing RCE through injecting PHP payloads into GIF images with Netscape Looping Application Extensions, which survive PHP-GD image recreation due to preserved null byte blocks. The attack bypasses file extension validation by renaming uploaded images to .php and exploiting image processing that fails to sanitize injected code in GIF metadata.

Researcher discovered a critical DoS vulnerability in GitHub Actions by exploiting git commit hash collisions—abbreviated 7-character shorthashes can be maliciously collided with, causing tarball resolution failures that break all builds using that action. The researcher accidentally triggered a global outage while demonstrating the attack.