Web Application Breaches
Oracle E-Business Suite: a zero-day RCE fueled a Cl0p extortion wave
The Cl0p ransomware group exploited an unauthenticated RCE zero-day in Oracle E-Business Suite before patches existed, using an attacker-controlled XSL stylesheet to run commands and drive a data-theft extortion campaign.
npm's Shai-Hulud: phished maintainers, poisoned chalk and debug, a self-spreading worm
A September 2025 wave of npm attacks began with a phishing email that poisoned chalk, debug and other packages with over two billion weekly downloads, and escalated into Shai-Hulud, a self-propagating worm that stole developer tokens and republished malware automatically.
SharePoint 'ToolShell': insecure deserialization to unauthenticated RCE and key theft
Attackers exploited an insecure-deserialization flaw in on-premises SharePoint as a zero-day, gaining unauthenticated RCE and stealing the server's cryptographic machine keys to forge authentication tokens and persist.
CitrixBleed 2: a memory leak that handed attackers live session tokens
An out-of-bounds memory read in Citrix NetScaler ADC and Gateway let unauthenticated attackers extract session tokens from device memory, hijacking authenticated sessions and bypassing multi-factor authentication.
Next.js middleware: one spoofed header skipped authentication entirely
A spoofable internal header, x-middleware-subrequest, let attackers make Next.js skip middleware entirely — bypassing authentication and authorization checks enforced there on self-hosted deployments.
tj-actions/changed-files: a retagged GitHub Action leaked CI secrets from 23,000 repos
A widely used GitHub Action was compromised so that its version tags pointed to malicious code that dumped CI/CD secrets into build logs, exposing secrets across an estimated 23,000 repositories.
polyfill.io: how one bought domain poisoned 100,000+ websites overnight
A popular free JavaScript CDN changed ownership and began serving malicious code to an estimated 100,000+ sites that loaded it by name instead of by hash.
Snowflake customer breaches: no MFA, stolen passwords, 160+ companies
The threat group UNC5537 logged into more than 160 Snowflake customer environments using passwords stolen by infostealer malware, exploiting the absence of enforced multi-factor authentication rather than any flaw in Snowflake itself.
The XZ Utils backdoor: a two-year social-engineering supply-chain attack
A malicious backdoor was patiently inserted into the xz/liblzma compression library by a long-trusted maintainer persona, designed to break sshd authentication and grant remote unauthorized access, scoring the maximum CVSS 10.0.
Fortinet FortiOS SSL VPN: an out-of-bounds write became unauthenticated RCE
An out-of-bounds write in the FortiOS SSL VPN daemon let remote, unauthenticated attackers run arbitrary code via crafted HTTP requests; Fortinet disclosed it under active exploitation and CISA added it to the KEV catalog within a day.
GraphQL batching and introspection: when flexibility becomes attack surface
GraphQL's introspection and aliasing features, left unrestricted, leak the full schema and let a single request pack many operations — defeating rate limits and enabling brute-force of authentication codes and other secrets.
Ivanti Connect Secure: two bugs chained into unauthenticated RCE
Attackers chained an authentication bypass (CVE-2023-46805) with a command-injection flaw (CVE-2024-21887) in Ivanti Connect Secure and Policy Secure gateways to achieve unauthenticated remote code execution, deploying webshells and stealing credentials.
Stored XSS to account takeover: the web's most common bug class
Cross-site scripting is the single most common vulnerability class in bug bounty and the #1 entry on the CWE Top 25; injected script running in a victim's browser can steal session tokens and drive full account takeover.
MOVEit Transfer: one SQL injection, thousands of organizations breached
The Cl0p ransomware group exploited an unauthenticated SQL injection in Progress MOVEit Transfer to deploy a web shell and exfiltrate data from thousands of organizations worldwide.
Toyota T-Connect: a hardcoded access key sat public on GitHub for five years
A subcontractor published Toyota T-Connect source code to a public GitHub repository with a database access key embedded, leaving customer data reachable for roughly five years and exposing about 296,000 customers' details.
Optus: an unauthenticated API endpoint exposed millions of customers
An internet-exposed Optus API endpoint required no authentication, allowing an attacker to pull the personal records of millions of customers directly from the service.
Log4Shell: one log line that gave the internet remote code execution
A JNDI-lookup feature in the ubiquitous Apache Log4j logging library let unauthenticated attackers run arbitrary code on any server that logged an attacker-controlled string, scoring a maximum CVSS 10.0.
Codecov Bash Uploader: a modified build tool that quietly stole CI secrets
Attackers extracted a cloud credential from a Codecov Docker image and used it to alter the widely used Bash Uploader script so that it exfiltrated environment variables and secrets from customers' CI pipelines.
Capital One: SSRF to cloud metadata to 106 million records
An attacker exploited a server-side request forgery flaw in a misconfigured web application firewall to query the EC2 instance metadata service, steal over-permissive IAM credentials, and exfiltrate roughly 106 million customer records from cloud storage.