vulnerability-disclosure

A returndata bomb vulnerability in RAI's LiquidationEngine allows an attacker to deploy a malicious whitelisted savior contract that reverts with massive data, exhausting gas during the catch clause and rendering positions unliquidatable—causing protocol bad debt. The researcher disputes Immunefi's downgrade from Medium to None severity, arguing governance whitelisting cannot detect this emergent EVM interaction vulnerability.

Portfolio page showcasing multiple critical smart contract vulnerabilities disclosed across DeFi protocols, including UUPS proxy initialization flaws, access control bypasses, and token theft vectors. While listing numerous bug bounty successes (>$6.5m rescued), it provides minimal technical depth and primarily serves as credentials summary.

A portfolio page showcasing multiple critical smart contract vulnerability disclosures across DeFi protocols (88mph, Polygon, KeeperDAO, Alchemix, Ondo Finance) and bug bounty wins totaling over $6.5M in rescued funds, with brief technical descriptions of UUPS proxy exploits, access control flaws, and token theft vulnerabilities.

Portfolio page showcasing multiple critical smart contract vulnerabilities disclosed across DeFi/NFT protocols, including access control flaws, uninitialized UUPS proxies enabling arbitrary delegatecalls, and broken token transfer functions. Author details bounty payouts and rescued funds across 88mph, Polygon, KeeperDAO, and other projects, with limited technical depth on each vulnerability.

A critical rounding convention bug in Vesu's Singleton liquidation contract allowed attackers to steal user funds through malicious pool extension contracts, flashloans, and improper handling of the receive_as_shares flag. The vulnerability was discovered via Immunefi bug bounty, remediated by removing the affected liquidation logic and whitelisting pool extensions within 5 days.

Security researcher Merkle Bonsai documents a hybrid NFT vulnerability in Ocean Protocol where on-chain Data Description Objects (DDOs) can be modified to enable attacks, exploiting the protocol's reliance on modifiable on-chain data structures. The article discusses how these hybrid attacks work and references previous analysis of Ocean Protocol's design vulnerabilities.

Security research analyzing a hybrid NFT vulnerability in Ocean Protocol where on-chain Data Description Objects (DDOs) stored on blockchain can be modified to enable attacks. The article discusses design flaws and issues discovered in Ocean Protocol's implementation, with bug bounty disclosures via Immunefi.

A high-severity vulnerability was discovered in Across V3 cross-chain bridge that allows malicious relayers to steal the full value of certain transactions from users by exploiting the optimistic relay mechanism before UMA's Optimistic Oracle validation.

A High Severity vulnerability was discovered in Across V3, a cross-chain optimistic bridge, that could allow malicious relayers to steal the full value of certain transactions from users by exploiting the relayer fulfillment mechanism prior to UMA Optimistic Oracle validation.

Trust Security discovered a class of DOS vulnerabilities affecting 100+ projects that abuse the frontrunnable nature of EIP-2612 Permit function when composed with other contract logic. The vulnerability allows attackers to force transaction reverts by front-running permit() calls, causing griefing attacks that block normal function execution, with $50k in bounties awarded across 15 projects.

An article discussing best practices and common pitfalls in running bug bounty programs, using Balancer's Merkle Orchard as a case study to critique inadequate bounty management including poor communication, payment delays, and misrepresentation of bounty amounts.

Assetnote discovered and demonstrated a zero-day remote code execution vulnerability affecting Mozilla's AWS network infrastructure. The article appears to be a landing page for Assetnote's security research capabilities rather than detailed technical analysis.

Two vulnerabilities discovered in Magento allowing remote code execution and local file read with low-privilege admin accounts: the first exploits path traversal in product design layout XML to execute arbitrary PHP code via custom product option file uploads, and the second leverages path traversal in email template CSS directives to read arbitrary files.

A researcher discovered an RCE vulnerability on ASUS's RMA portal by bypassing front-end file upload restrictions and uploading an ASP webshell to the predictable /uploads directory on Microsoft-IIS 8.5. The vulnerability was disclosed responsibly and eventually patched, though ASUS's response was slow and the researcher reported poor communication from the vendor.

An unauthenticated remote code execution vulnerability in Dell KACE K1000 Systems Management Appliance (version 6.3.113397 and earlier) exists in the /service/krashrpt.php endpoint, which fails to properly sanitize the kuid and name parameters before passing them to shell commands, allowing arbitrary code execution on the appliance and potentially all managed client endpoints. The vulnerability was silently patched by Dell in version 6.4 SP3 (6.4.120822) under bug ID K1-18652.

A researcher discovered a critical RCE vulnerability in Sucuri's server-side scanner caused by explicitly disabled SSL certificate verification (CURLOPT_SSL_VERIFYPEER=false), allowing MiTM attackers to inject arbitrary PHP code. The disclosure reveals how Sucuri mishandled the bug bounty report, downplaying the severity despite the researcher proposing multiple remediation options.

A SQL injection vulnerability was discovered in the login endpoint of bootcamp.nutanix.com where unsanitized user input in the email and password JSON parameters allowed extraction of database version information via error-based SQLi techniques. The vulnerability was exploited using simple quote injection and extractvalue() functions to trigger MySQL errors revealing system details.

Security researcher Josip Franjković discovered four SQL injection vulnerabilities across multiple Nokia domains (www4.nokia.de, a PHP site, and nokia.es subdomain), including blind SQL injection via User-Agent headers and time-based injection attacks, which Nokia's incident response team patched rapidly in April 2013. The researcher detailed advanced exploitation techniques such as using UNION-based subqueries with CASE statements to extract data from INSERT queries and bypass error-based detection.

A researcher discovered a Server-Side Request Forgery (SSRF) vulnerability in Google Sites' Caja server that allowed fetching arbitrary resources from Google's internal Borg cluster management network, exposing sensitive information about internal infrastructure including job details, system users, and resource allocation. The vulnerability was reported to Google's VRP and patched within 48 hours.

A researcher discovered a local file inclusion (LFI) vulnerability on Google's production servers at springboard.google.com through directory enumeration and authorization bypass, escalating from an initial auth bypass to full LFI with admin privileges, ultimately earning a $13,337 bounty from Google's Vulnerability Reward Program.

A clickbait Medium article claiming to demonstrate how to earn $500 from an open redirect vulnerability, but provides no actual technical details, methodology, or exploitation steps.

Microsoft released security patches for 77 vulnerabilities across Windows and other products in March 2026, with no zero-day exploits included this month unlike the previous month's five zero-days.

Monthly security patch review covering March 2026 releases from Adobe (80 CVEs across 8 bulletins) and Microsoft (94 CVEs total including third-party updates), with detailed analysis of critical vulnerabilities including Office RCE via Preview Pane, Windows Print Spooler RCE, Excel XSS enabling Copilot data exfiltration, and Windows Graphics elevation-of-privilege bugs.