Hall of Fame
Public BugBunny.ai advisories across open source software, developer tooling, infrastructure, and modern AI stacks.
25
CVEs discovered
10.0
Peak CVSS
12
High / critical
Severity Timeline
Every BugBunny CVE plotted against time and impact
Hover a point to inspect the advisory. The x-axis tracks disclosure time, while the y-axis shows the assigned severity tier from none to critical.
March 11, 2026
CVE-2026-31888
Shopware Store API User Enumeration
CVE Advisories (25)
Every public BugBunny advisory published in the BugBunny hall of fame so far.
Peak CVSS: 10.0
March 11, 2026
CVE-2026-31888
Shopware Store API User Enumeration
Shopware exposed whether an email address belonged to a valid customer by returning distinct error codes on Store API login requests.
March 9, 2026
CVE-2026-30973
Appium Zip Slip Arbitrary File Write
A missing throw in Appium’s ZIP extraction path traversal check made Zip Slip protection non-functional and allowed arbitrary file write.
March 2026
CVE-2026-29093
AVideo Exposed Memcached Session Store
AVideo’s default docker-compose stack published an unauthenticated memcached instance holding all PHP session data directly to the host network.
March 2026
CVE-2026-28398
NocoDB Stored XSS via Comments and Rich Text
NocoDB rendered attacker-controlled comments and rich text with v-html and no sanitization, enabling stored XSS for viewers of affected records.
March 2026
CVE-2026-28396
NocoDB Refresh Tokens Survive Password Reset
NocoDB invalidated JWT versions on password reset but failed to delete existing refresh tokens, allowing stolen refresh tokens to survive the reset.
March 2026
CVE-2026-28361
NocoDB MCP Token Ownership Bypass
NocoDB’s MCP token service skipped ownership validation, allowing users with sufficient base permissions to manipulate another user’s token if they knew its ID.
March 2026
CVE-2026-3351
LXD Certificate Fingerprint Enumeration
LXD’s non-recursive certificate listing bypassed per-object authorization and leaked certificate fingerprints to restricted authenticated users.
February 2026
CVE-2026-28445
Typebot Rating Block Custom Icon XSS
Typebot accepted arbitrary HTML/SVG in rating block custom icons and rendered it with innerHTML in the builder preview, enabling stored XSS.
February 2026
CVE-2026-28351
pypdf RunLengthDecode Memory Exhaustion
Crafted RunLengthDecode streams in PDFs could trigger large memory consumption inside pypdf and exhaust process RAM.
February 2026
CVE-2026-28217
Hoppscotch userCollection IDOR
Hoppscotch’s userCollection GraphQL query returned other users’ private collection data without verifying ownership, exposing secrets and request definitions.
February 2026
CVE-2026-28444
Typebot Result Logs IDOR
Typebot authorized the caller against typebotId but fetched logs purely by resultId, enabling cross-workspace access to result logs.
February 2026
CVE-2026-28384
LXD compression_algorithm Host RCE
Multiple LXD API endpoints passed user-controlled compression_algorithm strings into shell-parsed host commands, enabling authenticated host RCE.
February 2026
CVE-2026-27955
Coolify executeInDocker Command Injection
Coolify’s executeInDocker() helper wrapped attacker-controlled commands in bash -c without escaping single quotes, enabling host command execution.
February 2026
CVE-2026-27806
Fleet Orbit Tcl Injection Privilege Escalation
Fleet Orbit interpolated a local password into a Tcl/expect script without safe escaping, allowing local users to inject commands and escalate to root.
February 2026
CVE-2026-27471
ERPNext Missing Access Validation
Missing validation on sensitive ERPNext endpoints allowed unauthorized access to employee, invoice, and financial documents.
January 2026
CVE-2026-23630
Docmost Mermaid XSS
Unsanitized Mermaid SVG rendering enabled stored XSS against any user viewing a poisoned Docmost page.
January 12, 2026
CVE-2026-22807
vLLM auto_map RCE
vLLM loaded Hugging Face auto_map dynamic modules without honoring trust_remote_code, enabling arbitrary Python execution from untrusted models.
January 12, 2026
CVE-2026-21884
React Router ScrollRestoration XSS
Inline ScrollRestoration scripts failed to escape </script> sequences during SSR, allowing attacker-controlled XSS.
November 2025
CVE-2025-64756
glob CLI Command Injection
The glob CLI passed attacker-controlled filenames into shell execution paths, making malicious repositories executable.
October 2025
CVE-2025-61686
React Router Path Traversal
Crafted session identifiers escaped React Router file session storage directories and enabled arbitrary file overwrite.
September 2025
CVE-2025-61622
Apache Fory Pickle RCE
Unsupported objects in pyfory/pyfury fell back to pickle.loads, enabling arbitrary code execution from crafted serialized data.
August 2025
CVE-2025-59792
Apache Kvrocks Credential Exposure
Kvrocks MONITOR output leaked plaintext AUTH credentials, exposing passwords to low-privilege observers.
August 2025
CVE-2025-59790
Apache Kvrocks Privilege Escalation
Namespace token validation flaws in Kvrocks allowed lower-privilege users to cross privilege boundaries.
July 2025
CVE-2025-59057
React Router Stored XSS
A stored XSS condition in React Router allowed attacker-supplied markup to persist and execute in downstream applications.
June 2025
CVE-2025-58434
Flowise Account Takeover
Flowise leaked password reset material in a way that enabled full account takeover across local and cloud deployments.
Want coverage like this?
BugBunny runs coordinated AI agents to surface exploitable issues before attackers do, then packages the results into audit-ready findings and CVE-quality disclosures.