Bug Hunting Blog

Documented vulnerabilities, write-ups, and security research findings.

April 2026 Critical

Cross-Tenant Data Access via API Token Prefix Trust

A flawed token parsing mechanism trusted the company ID embedded in the token string instead of resolving it from the database, giving full read and write access across tenant boundaries on a global HR platform.

Write-Up Read more →

April 2026 Critical

Mass Parameter Injection into Internal Transaction API via BFF

A BFF endpoint blindly forwarded all user-supplied JSON fields to an internal transaction service, enabling injection of sellerId, status, and paymentMethod while leaking internal JWTs on every call.

Write-Up Read more →

March 2026 High

Blind SSRF via Webhook URL Validation Bypass

An incomplete IP blocklist missed cloud metadata ranges and IPv4-mapped IPv6. DNS rebinding then bypassed the entire blocklist, turning a webhook feature into an internal network scanner.

Write-Up Read more →

March 2026 High

Unauthorized Access to All Prescription Records

A missing member filter on a prescriptions endpoint returned 1,352 PHI records from 86 patients to any authenticated user on a telehealth platform.

Write-Up Read more →

March 2026 High

Authorization Bypass on Telehealth Visit Creation

Missing ownership checks on visit endpoints allowed creating, reassigning, and completing telehealth visits for any member, blocking victims from scheduling their own care.

Write-Up Read more →

March 2026 Medium

v1 API Accessible with v2 Tokens: Full CRUD Without Scope Enforcement

v2 API tokens could access legacy v1 endpoints with zero scope checks, enabling full CRUD operations and bypassing role-based restrictions that the v2 API enforces.

Write-Up Read more →

March 2026 Medium

Refresh Token Accepted as Access Token on All Endpoints

A telehealth platform accepted refresh tokens on all resource endpoints including PHI, doubling the session lifetime from 8 to 16 hours with full read and write access.

Write-Up Read more →

February 2026 Critical

SSRF to RCE: Container Escape on a CI/CD Platform

A blind SSRF in a webhook feature escalated to full remote code execution, container escape, and potential supply chain compromise affecting thousands of downstream customers.

Write-Up Read more →

July 2025 High

Dependency Confusion: RCE via Package Hijacking

Discovered internal npm package names in JavaScript bundles and registered them on the public registry, achieving remote code execution on a gaming platform's build servers.

Write-Up Read more →

More write-ups coming soon, stay tuned.

← Back to Home