A multi-stage vulnerability in GitHub's private pages authentication flow combining CRLF injection, null byte parsing bypass, and cookie prefix case-sensitivity to achieve XSS and cache poisoning on private organization pages. The attack exploited case-insensitive cookie handling to bypass __Host- prefix protections and nonce fixation to achieve unauthenticated arbitrary code execution.
A DevOps engineer discovered unauthenticated remote code execution as root on exposed Marathon instances by leveraging the task scheduling API to execute arbitrary commands. The vulnerability exploits the lack of authentication on Marathon's HTTP interface combined with the platform's ability to execute arbitrary bash commands through scheduled tasks.
Research demonstrating a complete RCE attack chain on DeskPro helpdesk software through multiple chained vulnerabilities: insufficient API access control (leaking JWT secrets and admin config), and insecure deserialization in the template editor. The exploit was demonstrated against Bitdefender's support center, achieving remote code execution from an unauthenticated user registration.
A CORS misconfiguration on api.artsy.net allows attackers to exfiltrate authenticated user credentials and sensitive data (email, phone, authentication tokens, etc.) by hosting malicious JavaScript that exploits the overly permissive Access-Control-Allow-Credentials and Access-Control-Allow-Origin headers.
A Jenkins instance was found vulnerable to RCE due to improper access control, allowing unauthenticated users to gain admin access via GitHub OAuth and execute arbitrary Groovy scripts. The vulnerability was discovered during subdomain enumeration and responsibly disclosed to the organization's CTO.
A SQL injection vulnerability was discovered in the login endpoint of bootcamp.nutanix.com where unsanitized user input in the email and password JSON parameters allowed extraction of database version information via error-based SQLi techniques. The vulnerability was exploited using simple quote injection and extractvalue() functions to trigger MySQL errors revealing system details.
A researcher discovered an SQL injection vulnerability in AutoTrader's webmail login (dealeremail.autotrader.co.uk) that allowed authentication bypass using the payload admin'–' in both username and password fields, gaining unauthorized access to the admin panel. The vulnerability was reported through the bug bounty program and was subsequently patched.
SQL injection vulnerability discovered on tw.stock.yahoo.com in the getjson.php endpoint where double URL decoding bypass allowed unescaped single quotes in the 's' parameter, enabling attackers to execute arbitrary SQL queries with root database privileges. The vulnerability leveraged insufficient input validation combined with incomplete quote stripping after the first decode pass.
A vulnerability in Instagram's account reactivation process allowed attackers to reactivate deactivated accounts using only credentials, bypassing two-factor authentication that should have been required. The issue was fixed by Instagram after being reported through their bug bounty program, resulting in a $500 bounty award.
Step-by-step exploitation of multiple SQL injection vulnerabilities in Oculus' website, demonstrating blind SQL injection techniques with whitespace and comma filtering bypass to extract admin session credentials. The attacker chained five SQL injections together, using creative MySQL syntax (comment blocks, OFFSET instead of comma-based LIMIT) to gain administrator access without prepared statements.
A developer at Stripe relied on client-side HTML class disabling during account lockout/session timeout, allowing an attacker with a logged-in session to use browser inspect element to remove the disabled class and bypass authentication checks to invite themselves as an administrator. The vulnerability was fixed after responsible disclosure with a $500 bounty.
MySQL clients can be abused via the LOAD DATA LOCAL INFILE feature to exfiltrate arbitrary files from the client machine by setting up a fake MySQL server that bypasses authentication and sends malicious payloads. This exploitation technique works because MySQL clients trust server-sent commands after authentication, allowing attackers to read sensitive files like /etc/hosts from compromised systems.
A researcher discovered a local file inclusion (LFI) vulnerability on Google's production servers at springboard.google.com through directory enumeration and authorization bypass, escalating from an initial auth bypass to full LFI with admin privileges, ultimately earning a $13,337 bounty from Google's Vulnerability Reward Program.
A CSRF vulnerability in Facebook's Instagram Business Tools allowed attackers to execute arbitrary GraphQL mutations by crafting malicious URLs that leveraged the victim's authenticated access token, enabling unauthorized actions like creating posts with malicious content. The vulnerability exploited improper parameter handling in the /business/:id endpoint where user-controlled IDs were sent to the Graph API without proper CSRF protections.
Two critical vulnerabilities in n8n workflow automation platform allow remote code execution via expression sandbox escape (CVE-2026-27577, CVSS 9.4) and unauthenticated credential exposure (CVE-2026-27493, CVSS 9.5). Both flaws have been patched.