Bug Hunting Blog

March 2026 Critical

SSRF to RCE — Container Escape on a CI/CD Platform

A blind SSRF in a webhook feature escalated to full remote code execution, container escape, and potential supply chain compromise affecting thousands of downstream customers.

Write-Up Read more →

March 2026 Critical

Cross-Enterprise IDOR — Wallet Address Disclosure

A naming inconsistency between two JSON-RPC methods broke tenant isolation on a crypto custody platform, exposing enterprise wallet addresses across organizational boundaries.

Write-Up Read more →

March 2026 High

Dependency Confusion — RCE via Package Hijacking

Discovered internal npm package names in JavaScript bundles and registered them on the public registry, achieving remote code execution on a gaming platform's build servers.

Write-Up Read more →

March 2026 High

Cross-Tenant Account Enumeration on a Banking Platform

A missing tenant validation on account lookup endpoints exposed customer PII — names, account numbers, and balances — across organizational boundaries on a BaaS platform.

Write-Up Read more →

March 2026 Medium

Missing 2FA on KYC Identity Changes

A crypto exchange allowed users to change their verified identity documents without requiring two-factor authentication, enabling full account takeover from a stolen session.

Write-Up Read more →