Hacktivity
Public disclosure log of security vulnerabilities autonomously discovered and patched by winfunc.
Showing recent 13
NGINXMediumCVE-2026-28755
stream accepts revoked client certificates despite ssl_ocsp on (CVE-2026-28755)
Read Analysis
NGINXMedium
SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync
Read Analysis
ReactHighCVE-2026-23864
RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)
Read Analysis
Node.jsMediumCVE-2026-21636
Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)
Read Analysis
AnthropicCritical
Authentication bypass on FastMCP custom routes
Read Analysis
BunHigh
Exponential merge keys in Bun's YAML implementation leads to DoS
Read Analysis
SupabaseCritical
SQL Injection via queueName in getDatabaseQueuesMetrics
Read Analysis
GumroadCritical
0-click Account Takeover and Admin Operations via helper endpoint authorization bypass
Read Analysis
MattermostMediumCVE-2026-2455
SSRF bypass via IPv4-mapped IPv6 literals in IsReservedIP (CVE-2026-2455)
Read Analysis
MattermostMediumCVE-2026-25783
DoS via unchecked User-Agent token in getBrowserVersion (CVE-2026-25783)
Read Analysis
MattermostHighCVE-2026-24458
Unbounded PBKDF2 hashing allows remote login DoS via oversized passwords (CVE-2026-24458)
Read Analysis
MattermostCVE-2026-21386
Private Channel Enumeration via /mute Slash Command (CVE-2026-21386)
Read Analysis
Better-AuthMedium
Multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
Read Analysis
End of transmission.