Hacktivity
Public disclosure log of security vulnerabilities autonomously discovered and patched by winfunc.
Showing recent 8
NGINXMedium
SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync
Read Analysis
ReactHighCVE-2026-23864
RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)
Read Analysis
Node.jsMediumCVE-2026-21636
Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)
Read Analysis
AnthropicCritical
Authentication bypass on FastMCP custom routes
Read Analysis
BunHigh
Exponential merge keys in Bun's YAML implementation leads to DoS
Read Analysis
SupabaseCritical
SQL Injection via queueName in getDatabaseQueuesMetrics
Read Analysis
GumroadCritical
0-click Account Takeover and Admin Operations via helper endpoint authorization bypass
Read Analysis
Better-AuthMedium
Multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
Read Analysis
End of transmission.