Public Disclosure

Responsible disclosure of 0-day vulnerabilities is one way we show our gratitude to all the beautiful ❤️ open-source projects.


Title Author(s) CVE Date
Snapshot.org - Proposal Space Confusion tintinweb - 2021
js-ipns - Downgrading Attack and Name Takeover tintinweb - 2021
jsipfs - ipfs-http-response - HTML Injection in Dirlisting tintinweb - 2021
Python - MIME Splitting tintinweb - 2021
Python - smtplib Multiple Crlf Injection tintinweb - 2021
PHP - IMAP MIME Splitting and Crlf Injection tintinweb - 2021
js-ipns - Signed Message Malleability Problem tintinweb - 2021
Ipfs Desktop - Path Traversal and arbitrary overwrite tintinweb - 2021
Remix Ethereum IDE - Drive-By and Remixd Path Traversal and Rce tintinweb - 2021
js-ipfs api CORS Bypass Full Admin Write tintinweb - 2021
Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection tintinweb CVE-2021-21374 CVE-2021-21373 CVE-2021-21372 2021
Nim - stdlib asyncftpd - Crlf Injection tintinweb CVE-2020-15690 2021
Ipfs - Path Traversal and Control Char Injection tintinweb CVE-2020-26279 CVE-2020-26283 2021
go-ipfs-files improperly handles writing ipfs nodes to files Joran Honig - 2021
Ipfs Fuse mount allows for symlinks outside the mount directory Joran Honig - 2021
Ethereum 2.0 - Teku - DoS via Gossipsub tintinweb - 2020
Ethereum 1.0 - Trinity - Neighbour of Death remote DoS via DiscV4 tintinweb - 2020
Nim - stdlib Browsers - `open` Argument Injection tintinweb CVE-2020-15692 2020
Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation tintinweb CVE-2020-15693 CVE-2020-15694 2020
Nim - stdlib smtp - multiple crlf injections tintinweb CVE-2020-15691 2020