Security
Vulnerabilities discovered by OpenHack in real-world software. We practice responsible disclosure and work with vendors to ensure fixes are available before publishing details.
A missing `await` keyword on `getServerSession()` in Papermark's TUS file upload endpoint causes a complete authentication bypass, allowing unauthenticated attackers to upload arbitrary files up to 2 GB.
Read advisoryUser-controlled redirect URLs from the OAuth state parameter are passed directly to res.redirect() without getSafeRedirectUrl() validation in Stripe Payment and Feishu Calendar callback handlers, allowing redirection to arbitrary external domains.
Read advisory