Wall of Fame
Every vulnerability listed here was discovered by OpenHack in real-world open-source software. We practice responsible disclosure and work with maintainers to ensure fixes are available before publishing details.
Sorted by date, newest first.
Missing await on getServerSession() causes complete authentication bypass, allowing unauthenticated file uploads up to 2 GB.
Read full advisoryUser-controlled redirect URLs passed to res.redirect() without validation, allowing redirection to arbitrary external domains.
Read full advisoryOpenHack follows responsible disclosure practices. When we discover a vulnerability, we notify the vendor immediately, provide full technical details and remediation guidance, and coordinate a disclosure timeline that gives maintainers adequate time to ship a fix before any public advisory is published.
If you believe you've found a security issue in OpenHack itself, please reach out to security@openhack.com.