Breachwire.riscent
Breachwire / Web Application Breaches

Web Application Breaches

Web Application BreachesCritical (CVSS 9.8)

Oracle E-Business Suite: a zero-day RCE fueled a Cl0p extortion wave

The Cl0p ransomware group exploited an unauthenticated RCE zero-day in Oracle E-Business Suite before patches existed, using an attacker-controlled XSL stylesheet to run commands and drive a data-theft extortion campaign.

Web Application BreachesCritical (billions of downloads affected)

npm's Shai-Hulud: phished maintainers, poisoned chalk and debug, a self-spreading worm

A September 2025 wave of npm attacks began with a phishing email that poisoned chalk, debug and other packages with over two billion weekly downloads, and escalated into Shai-Hulud, a self-propagating worm that stole developer tokens and republished malware automatically.

Web Application BreachesCritical (CVSS 9.8)

SharePoint 'ToolShell': insecure deserialization to unauthenticated RCE and key theft

Attackers exploited an insecure-deserialization flaw in on-premises SharePoint as a zero-day, gaining unauthenticated RCE and stealing the server's cryptographic machine keys to forge authentication tokens and persist.

Web Application BreachesCritical

CitrixBleed 2: a memory leak that handed attackers live session tokens

An out-of-bounds memory read in Citrix NetScaler ADC and Gateway let unauthenticated attackers extract session tokens from device memory, hijacking authenticated sessions and bypassing multi-factor authentication.

Web Application BreachesCritical (CVSS 9.1)

Next.js middleware: one spoofed header skipped authentication entirely

A spoofable internal header, x-middleware-subrequest, let attackers make Next.js skip middleware entirely — bypassing authentication and authorization checks enforced there on self-hosted deployments.

Web Application BreachesHigh (CVSS 8.6)

tj-actions/changed-files: a retagged GitHub Action leaked CI secrets from 23,000 repos

A widely used GitHub Action was compromised so that its version tags pointed to malicious code that dumped CI/CD secrets into build logs, exposing secrets across an estimated 23,000 repositories.

Web Application BreachesCritical (mass distribution)

polyfill.io: how one bought domain poisoned 100,000+ websites overnight

A popular free JavaScript CDN changed ownership and began serving malicious code to an estimated 100,000+ sites that loaded it by name instead of by hash.

Web Application BreachesCritical (mass data theft, no CVE)

Snowflake customer breaches: no MFA, stolen passwords, 160+ companies

The threat group UNC5537 logged into more than 160 Snowflake customer environments using passwords stolen by infostealer malware, exploiting the absence of enforced multi-factor authentication rather than any flaw in Snowflake itself.

Web Application BreachesCritical (CVSS 10.0)

The XZ Utils backdoor: a two-year social-engineering supply-chain attack

A malicious backdoor was patiently inserted into the xz/liblzma compression library by a long-trusted maintainer persona, designed to break sshd authentication and grant remote unauthorized access, scoring the maximum CVSS 10.0.

Web Application BreachesCritical (CVSS 9.6)

Fortinet FortiOS SSL VPN: an out-of-bounds write became unauthenticated RCE

An out-of-bounds write in the FortiOS SSL VPN daemon let remote, unauthenticated attackers run arbitrary code via crafted HTTP requests; Fortinet disclosed it under active exploitation and CISA added it to the KEV catalog within a day.

Web Application BreachesHigh (rate-limit bypass, schema disclosure)

GraphQL batching and introspection: when flexibility becomes attack surface

GraphQL's introspection and aliasing features, left unrestricted, leak the full schema and let a single request pack many operations — defeating rate limits and enabling brute-force of authentication codes and other secrets.

Web Application BreachesCritical (chained unauthenticated RCE)

Ivanti Connect Secure: two bugs chained into unauthenticated RCE

Attackers chained an authentication bypass (CVE-2023-46805) with a command-injection flaw (CVE-2024-21887) in Ivanti Connect Secure and Policy Secure gateways to achieve unauthenticated remote code execution, deploying webshells and stealing credentials.

Web Application BreachesHigh to Critical (context-dependent)

Stored XSS to account takeover: the web's most common bug class

Cross-site scripting is the single most common vulnerability class in bug bounty and the #1 entry on the CWE Top 25; injected script running in a victim's browser can steal session tokens and drive full account takeover.

Web Application BreachesCritical (CVSS 9.8)

MOVEit Transfer: one SQL injection, thousands of organizations breached

The Cl0p ransomware group exploited an unauthenticated SQL injection in Progress MOVEit Transfer to deploy a web shell and exfiltrate data from thousands of organizations worldwide.

Web Application BreachesHigh (credential exposure, ~296k customers)

Toyota T-Connect: a hardcoded access key sat public on GitHub for five years

A subcontractor published Toyota T-Connect source code to a public GitHub repository with a database access key embedded, leaving customer data reachable for roughly five years and exposing about 296,000 customers' details.

Web Application BreachesHigh (millions of records)

Optus: an unauthenticated API endpoint exposed millions of customers

An internet-exposed Optus API endpoint required no authentication, allowing an attacker to pull the personal records of millions of customers directly from the service.

Web Application BreachesCritical (CVSS 10.0)

Log4Shell: one log line that gave the internet remote code execution

A JNDI-lookup feature in the ubiquitous Apache Log4j logging library let unauthenticated attackers run arbitrary code on any server that logged an attacker-controlled string, scoring a maximum CVSS 10.0.

Web Application BreachesHigh (CI secret exposure)

Codecov Bash Uploader: a modified build tool that quietly stole CI secrets

Attackers extracted a cloud credential from a Codecov Docker image and used it to alter the widely used Bash Uploader script so that it exfiltrated environment variables and secrets from customers' CI pipelines.

Web Application BreachesCritical (106M records)

Capital One: SSRF to cloud metadata to 106 million records

An attacker exploited a server-side request forgery flaw in a misconfigured web application firewall to query the EC2 instance metadata service, steal over-permissive IAM credentials, and exfiltrate roughly 106 million customer records from cloud storage.