bugforge 15

• XInclude Injection to Arbitrary File Read | Tanuki May 12, 2026
• IDOR via Sequential Order IDs | Cheesy Does It May 11, 2026
• Race Condition in Cart and Checkout Flow – Multi-Item Purchase for Single Charge | Cafe Club May 10, 2026
• GraphQL Introspection and Sensitive Data Exposure | Ottergram May 9, 2026
• Predictable Time-Based Auth Token Leading to Authentication Bypass | Sokudo May 8, 2026
• Weak Session Token Design – Predictable MD5-Based Session Hijacking | CopyPasta May 7, 2026
• XML External Entity (XXE) via Deck Import Feature | Tanuki May 6, 2026
• Path Traversal – Arbitrary File Read via Image Endpoint | Ottergram May 2, 2026
• Broken Authentication – Predictable Timestamp Token Leads to Admin Account Takeover | Sokudo May 1, 2026
• Broken Access Control – Admin Access Token Brute Force Leads to Unauthorized Admin Access | Gift List Apr 30, 2026
• Broken Access Control – Role Manipulation via User Registration | Tanuki Apr 28, 2026
• Command Injection – Remote Code Execution via rollOptions Parameter | Diceforge Apr 26, 2026
• File Inclusion – Arbitrary File Read via Image Endpoint | Ottergram Apr 25, 2026
• IDOR – Unauthorized Access to Shared Notes via Base64 ID Manipulation | BugForge Apr 24, 2026
• Broken Access Control – Unauthorized Stats Modification via HTTP Method Manipulation | BugForge Apr 23, 2026