Mission Vector Zero

Alasdair Gorniak identified a sensitive data exposure vulnerability on one of the National Aeronautics and Space Administration (NASA) subdomains. The vulnerability was submitted on Sep 16, 2025 and was resolved on Oct 27, 2025.

Alexandru Ionut Raducu identified a XSS vulnerability in ProjectSend and later increased the severity of the vulnerability from a simple XSS to full administrator account takeover.

Luke Smith (Daeda1us) discovered that Apache Druid versions through 34.0.0 use a weak, guessable fallback secret for signing Kerberos authentication cookies when druid.auth.authenticator.kerberos.cookieSignatureSecret is not configured. Because the system relies on ThreadLocalRandom, a non-cryptographic PRNG, attackers may be able to predict or forge tokens. The issue also results in each node generating its own secret, causing inconsistent authentication behavior in distributed clusters.

On October 3rd, 2025, Cristian Branet (cristibtz) reported a Server-Side Template Injection vulnerability on Xibo CMS that was later escalated to Remote Code Execution (RCE), this vulnerability effectively allowed low-privileged users access to the entire server.

On May 23, 2025, Halil Oktay (oblivionsage) discovered a path traversal vulnerability in node.js that allowed reading system files outside its intended folder. This vulnerability affects all Node.js apps on Windows that use path.normalize() or similar functions to sanitize user-provided file paths

Around December 2024, Edward Warren (Actuator) discovered that "Color Phone: Call Screen Theme" mobile app is vulnerable to insecure permission handling via an exported Android activity. As a result, malicious applications can invoke this activity directly to initiate phone calls on behalf of the user.

Around September 2024, Edward Warren (Actuator) discovered that "Video Downloader Pro & Browser" 1.0.42 is vulnerable to arbitrary JavaScript execution via an exported Android activity. The exploitation led to Cross-site Scripting (XSS) vulnerability.

In later December 2025, Muhammad Taha Khan (KhanMarshai) discovered a race condition vulnerability on OpenCart CMS that allows malicious customers to bypass business logic restrictions, specifically allowing a single-use coupon to be redeemed multiple times and enabling the sale of products beyond available inventory (overselling).

Alasdair Gorniak found a Remote Code Execution (RCE) vulnerability in Microsoft Power Apps allows an authorized attacker to execute code over a network.

On Jan 18th 2025, Hamed Kohi (0xHamy) identified a vulnerability in Royal Bank Canada (RBC) Android mobile app. The mobile remote deposit capture (RDC) feature allows users to scan the front and back of a cheque and manually enter the cheque amount. Because the application trusts client-supplied input for a financial value, attackers can submit a higher amount than the actual cheque value. The manipulated amount is processed and credited, resulting in unauthorized financial gain.

Muhammad Taha Khan (KhanMarshai) discovered an improper authorization vulnerability in Grafana OSS. Grafana allows creating annotations (basically a comment or note at different points in a graph) on dashboards. Grafana also allows sharing dashboards publicly while locking the time range that a public viewer could view. However, the vulnerability allows bypassing this time range restriction and a public viewer could access annotations beyond the defined time range.

Viral Vaghela discovered an Arbitrary File Write vulnerability via Path Traversal in the Rollup module bundler. Insecure file name sanitization allows an attacker to control output filenames and use path traversal sequences to overwrite files anywhere on the host filesystem where the build process has permissions.

Alasdair Gorniak discovered a remote code execution vulnerability has been reported in Microsoft Windows Notepad. The vulnerability is due to improper validation of links in Markdown files. A remote attacker could exploit this vulnerability by enticing the victim to download and interact with a malicious file. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account.

Halil Oktay (oblivionsage) discovered an input validation vulnerability affecting MongoDB's GridFS implementation. User-controlled chunkSize metadata from MongoDB lacks appropriate validation, allowing malformed GridFS metadata to overflow the bounding container. This vulnerability enables attackers with low privileges to cause a denial of service condition through network-accessible attack vectors.

Hamed Kohi (0xHamy) identified multiple CSRF vulnerabilities on InstantCMS. Exploiting these vulnerabilities can lead to performing unauthorized actions such as granting privileges to arbitrary users, executing backend tasks and moving posts to trash.