Hacktivity
Public disclosure log of security vulnerabilities autonomously discovered and patched by winfunc.
Showing recent 21
NGINXMediumCVE-2026-42926
HTTP/2 upstream frame injection via oversized proxy_set_body (CVE-2026-42926)
Read Analysis
NGINXMediumCVE-2026-28755
stream accepts revoked client certificates despite ssl_ocsp on (CVE-2026-28755)
Read Analysis
NGINXMedium
SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync
Read Analysis
NGINXHigh
WebDAV COPY/MOVE path overlap corrupts files and collections
Read Analysis
ReactHighCVE-2026-23864
RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)
Read Analysis
Node.jsMediumCVE-2026-21636
Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)
Read Analysis
AnthropicCritical
Authentication bypass on FastMCP custom routes
Read Analysis
SupabaseCritical
SQL Injection via queueName in getDatabaseQueuesMetrics
Read Analysis
BunHigh
Exponential merge keys in Bun's YAML implementation leads to DoS
Read Analysis
GumroadCritical
0-click Account Takeover and Admin Operations via helper endpoint authorization bypass
Read Analysis
MattermostHighCVE-2026-3108
mmctl terminal escape injection via unsanitized server-controlled output (CVE-2026-3108)
Read Analysis
MattermostMediumCVE-2026-3114
Zip bomb memory exhaustion in recursive document extraction (CVE-2026-3114)
Read Analysis
MattermostMediumCVE-2026-3115
Group member IDs leaked because GetGroup bypassed view restrictions (CVE-2026-3115)
Read Analysis
MattermostMediumCVE-2026-3113
mmctl export downloads created world-readable local files (CVE-2026-3113)
Read Analysis
MattermostMediumCVE-2026-21386
Private channel enumeration through /mute error messages (CVE-2026-21386)
Read Analysis
MattermostHighCVE-2026-24458
Oversized password login DoS in legacy password comparison (CVE-2026-24458)
Read Analysis
MattermostMediumCVE-2026-25783
User-Agent version parser panic during session creation (CVE-2026-25783)
Read Analysis
MattermostMediumCVE-2026-2455
SSRF protection bypass via IPv4-mapped IPv6 literals (CVE-2026-2455)
Read Analysis
Better-AuthMedium
Multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
Read Analysis
ActixMedium
HTTP/1.1 CL.TE request smuggling in actix-http (GHSA-xhj4-vrgc-hr34)
Read Analysis
HoppscotchHighCVE-2024-34347
Hoppscotch CLI sandbox escape through Node vm pre-request scripts (CVE-2024-34347)
Read Analysis
End of transmission.