Bug Bounty Discoveries: Critical Vulnerabilities in Web Applications
Security researchers uncovered several critical vulnerabilities in popular web applications through bug bounty programs, demonstrating the risks posed by insecure coding practices and insufficient input validation. One researcher found a flaw in a car-parts marketplace that allowed manipulation of a URL parameter to set product prices to zero, exploiting a backend logic error where an invalid id_product_feature_set parameter defaulted the price to zero. Another report detailed a $1,000 bounty for a GitLab GraphQL API vulnerability that enabled project maintainers to delete entire repositories, bypassing intended permission restrictions and highlighting the importance of robust access control in API design.
Additionally, a researcher discovered a $10,000 vulnerability in Shopify's Return Magic app, where a Handlebars template injection in customizable email templates could lead to server-side code execution, potentially allowing full server takeover. These incidents underscore the value of bug bounty programs in identifying and mitigating high-impact security flaws before they can be exploited by malicious actors, and they emphasize the need for secure development practices, thorough code review, and regular security testing in web applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Handlebars email-template server takeover write-up published
A public write-up titled "The $10,000 Handlebars Hack: How Email Templates Led to Server Takeover" was published, indicating disclosure of a vulnerability chain involving email templates and server compromise. No more specific event dates are available from the reference.
Web-store pricing bug write-up published
A public write-up titled "The $2,000 Bug That Changed My Life: How a Tiny URL Parameter Broke Web-Store Pricing" was published, describing a pricing-manipulation vulnerability involving a URL parameter. The reference does not provide additional dates or incident details.
GitLab security flaw write-up published
A public write-up titled "$1000 Bounty: GitLab Security Flaw Exposed" was published, indicating disclosure of a GitLab-related security issue through a bug bounty report. No further technical or timeline details are provided in the reference.
Sources
3 references tracked. Mallory keeps watching after this page renders.
$1000 Bounty: GitLab Security Flaw Exposed
infosecwriteups.com
Open sourceThe $2,000 Bug That Changed My Life: How a Tiny URL Parameter Broke Web-Store Pricing !!
infosecwriteups.com
Open source“The $10,000 Handlebars Hack: How Email Templates Led to Server Takeover”
infosecwriteups.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Bug Bounty Research: Exploiting Overlooked Web Vulnerabilities
Security researchers detailed real-world bug bounty findings where seemingly low-risk or outdated web vulnerabilities led to significant data exposure and system compromise. One account describes how a 'read-only' API endpoint was misconfigured, allowing an attacker to enumerate and extract sensitive information despite its intended restrictions. Another case highlights how an old data dump dismissed by the community still contained valid credentials or overlooked flaws, enabling a researcher to leverage forgotten subdomains and ultimately gain unauthorized server access. These stories underscore the persistent risk posed by misconfigured endpoints and the value of re-examining old breach data for unpatched vulnerabilities. Attackers can exploit assumptions about security controls or the irrelevance of aged leaks, demonstrating the need for continuous monitoring, thorough asset management, and regular review of both public and internal exposure. Organizations should not rely solely on the perceived age or status of data breaches when assessing their security posture.
Mar 21, 2026
Bug Bounty Exploits: Path Traversal and SQL Injection Techniques
Security researchers have detailed real-world exploitation techniques used to identify and leverage vulnerabilities in web applications, focusing on bug bounty scenarios. One researcher described successfully exploiting a path traversal vulnerability in a company's file upload functionality, allowing arbitrary file overwrites and folder creation by manipulating file save locations. Additional attempts were made to exploit content-type handling and CSV injection, though system command execution was not achieved in that case. Another researcher demonstrated the use of UNION-based SQL injection to enumerate database tables, extract credential columns, and ultimately dump usernames and passwords from a non-Oracle database. By exploiting a vulnerable product category filter, the attacker was able to gain administrator access, highlighting the risk of improperly sanitized user input in web applications. Both cases underscore the importance of secure coding practices and thorough application testing to prevent such vulnerabilities from being exploited in the wild.
Mar 21, 2026
Web Application Security Vulnerabilities and Exploitation Techniques
Security researchers and enthusiasts have recently highlighted several web application vulnerabilities and exploitation techniques, focusing on real-world scenarios and educational walkthroughs. One write-up details a web challenge from the v1t CTF, where the key to exploitation was careful source code analysis rather than traditional attack vectors, emphasizing the importance of understanding application logic and default credential checks. Another article provides a step-by-step breakdown of a $6,000 bug bounty awarded for a persistent cross-site scripting (XSS) vulnerability on Yelp.com, explaining how the flaw allowed attackers to hijack user sessions and steal credentials, and offering practical advice for identifying similar bugs. Additionally, a technical walkthrough demonstrates how reflected XSS can be exploited in the DVWA (Damn Vulnerable Web Application) environment, illustrating the risks of improper input validation and script execution in browsers. A separate analysis explores a Cross-Origin Resource Sharing (CORS) misconfiguration involving a trusted "null" origin, showing how such errors can lead to sensitive data exposure across domains. These cases collectively underscore the ongoing risks posed by web application misconfigurations and the value of both offensive and defensive security research in identifying and mitigating these threats.
Mar 21, 2026