Partial remediationRegionalNational social-insurance agency
3 Critical3 High1 Medium7 total
- Authentication bypass via signing-key disclosure
- IDOR mass-extraction of contribution records
- CORS reflection with auth-header allowance
Chain demonstrating full-database extractability without valid credentials. Disclosed; partial fixes applied; core issues remain.
Partial remediationMultilateralRegional public-health data platform
4 Critical1 High2 Medium7 total
- Unauthenticated national-registry API
- Source-code & secrets disclosure
- SQL injection in legacy login endpoint
Special-category patient data exposed via a combination of web-server misconfiguration and an unauthenticated development endpoint. Partial remediation; residual exposure outstanding.
Regional capital-markets institution
5 Critical1 High2 Medium8 total
- Application-root disclosure
- Debug-log PII retention over multi-year window
- Directory-listed document repositories
Misconfigured web server exposing deployment artefacts and sustained logging of customer data. Disclosure sent to vendor; awaiting acknowledgment and remediation.
US-accredited medical school
6 Critical4 High3 Medium13 total
- Unauthenticated REST API with full PII read
- Directory-listed HR document archive with IDOR chain
- Active LMS compromise - SEO-spam injection indicator
Multiple subsystems exposing student PII, a complete HR document archive, and evidence of an already-compromised learning-management system. Vendor acknowledged disclosure; detailed findings shared with assigned engineer for triage.
Regional banking-platform vendor
0 Critical2 High2 Medium4 total
- Hardcoded vendor-wide AES key in pre-auth response
- Cross-tenant IDOR on shared banking backend
- Unauthenticated configuration bundle exposure
Banking-platform vendor shipping a hardcoded AES key in an unauthenticated response across a multi-bank fleet; hundreds of compromised customer sessions already visible in public infostealer telemetry. Disclosure sent to vendor; awaiting acknowledgment and remediation.
Regional education credentialing authority
2 Critical1 High5 Medium8 total
- Mass identity-document exposure via CMS media library
- Dev-mirror cloning production PII without edge protection
- ASP.NET framework & path disclosure on legacy portals
Public CMS media library used as a storage tier for exam-candidate identity documents; tens of thousands of records enumerable without authentication and duplicated on an unprotected development mirror. Disclosure acknowledged by asset owner; remediation in progress.
Caribbean delivery SaaS
4 Critical1 High3 Medium8 total
- Production cloud credentials leaked via unauthenticated config endpoint
- Cross-tenant cloud-storage write via leaked operator IAM
- Unauthenticated merchant directory enumeration
A single unauthenticated API response on a regional food-delivery platform exposes the operator's production cloud credentials, payment-gateway test secrets, and a multi-tenant storage bucket with no per-tenant access scoping. Coordinated credential rotation and bucket-policy hardening pending.
Multi-tenant delivery / ride-hailing SaaS template
3 Critical1 High3 Medium7 total
- Per-tenant secrets retrievable via shared config route across the operator fleet
- Suffix-based authentication exemption pattern in route handler
- Multi-tenant cloud storage without per-tenant IAM scoping
Architectural defects in a SaaS delivery and ride-hailing platform template that ships to operators across the Americas, the Caribbean, MENA, and South Asia. Per-tenant credentials, payment-gateway secrets, and cross-tenant write capability are reachable without authentication on every unpatched deployment. Disclosure sent to template vendor.
Eastern Caribbean social-insurance authority
3 Critical6 High3 Medium12 total
- End-to-end RCE chain via exposed source-control directory
- Web-server account holds latent authority over monitoring stack
- Public-facing software stack 11+ years past end-of-support
Eastern Caribbean public-sector social-insurance host running a public web stack 11+ years past end-of-support. A source-control directory in webroot leaks production database credentials; the database super-user is reachable from the public internet; remote code execution is possible via this chain.