| php info file and sql backup at vendor's subdomain |
Information Disclosure |
rivalsec |
Low |
2021-12-08 |
| OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage |
Information Disclosure |
yassineaboukir |
Medium |
2020-06-18 |
| IDOR in the https://market.semrush.com/ |
Improper Access Control - Generic |
albatraoz |
Critical |
2020-04-30 |
| SSRF and LFI in site-audit tool |
None supplied |
a_d_a_m |
High |
2020-04-30 |
| An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss |
Business Logic Errors |
yashrs |
High |
2020-04-02 |
| IDOR in marketing calendar tool |
Insecure Direct Object Reference (IDOR) |
a_d_a_m |
Medium |
2020-04-02 |
| Content Injection on api.semrush.com to Reflected XSS |
Cross-site Scripting (XSS) - Reflected |
nikitastupin |
Low |
2020-04-02 |
| Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB |
Cross-site Scripting (XSS) - Reflected |
ziko_amazigh |
Low |
2020-04-02 |
| IDOR in semrush academy |
Insecure Direct Object Reference (IDOR) |
a_d_a_m |
Medium |
2020-02-28 |
| Ad Builder Display Ads Path Traversal |
Path Traversal |
ajxchapman |
Medium |
2020-02-28 |
| CORS misconfiguration which leads to the disclosure of certain data concerning the user. |
Improper Access Control - Generic |
a_d_a_m |
Low |
2020-02-15 |
| Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image |
Violation of Secure Design Principles |
seeu |
Medium |
2020-01-10 |
| Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image |
Violation of Secure Design Principles |
seeu |
Medium |
2020-01-10 |
| Github information leaked |
Information Disclosure |
farmsec_alice |
High |
2019-09-25 |
| SSRF In Get Video Contents |
Server-Side Request Forgery (SSRF) |
artemis233 |
Medium |
2019-08-19 |
| Remote Code Execution on www.semrush.com/my_reports on Logo upload |
Command Injection - Generic |
fransrosen |
Critical |
2019-06-24 |
| Improper authentication on registration |
Improper Authentication - Generic |
lezibintlgent |
Medium |
2018-08-24 |
| Post Based XSS On Upload Via CK Editor [semrush.com] |
Cross-site Scripting (XSS) - Reflected |
apapedulimu |
Low |
2018-08-17 |
| Password reset token leakage via referer |
Violation of Secure Design Principles |
ethical_hacker30121996 |
Low |
2018-08-14 |
| Error Page Content Spoofing or Text Injection |
Violation of Secure Design Principles |
asad_anwar |
Low |
2018-06-29 |
| XSS on redirection page( Bypassed) |
Cross-site Scripting (XSS) - Reflected |
kunal94 |
Low |
2018-06-13 |
| [oauth token leak] at oauth.semrush.com |
Improper Authentication - Generic |
nikitastupin |
High |
2018-04-17 |
| CORS (Cross-Origin Resource Sharing) |
Improper Authentication - Generic |
asad_anwar |
Low |
2018-03-20 |
| Email Spoofing |
Violation of Secure Design Principles |
protector47 |
Medium |
2018-03-13 |
| SSLv3 Poodle Attack on Ip Of semrush |
Violation of Secure Design Principles |
h3r0es |
Low |
2018-03-13 |
| Broken Authentication: A project addition request can be used multiple time for different users |
Key Exchange without Entity Authentication |
walterhwhite |
High |
2018-03-13 |
| clickjacking to Semrush auth login |
UI Redressing (Clickjacking) |
karrrtik |
None |
2018-03-13 |
| XXE in Site Audit function exposing file and directory contents |
XML External Entities (XXE) |
achapman |
Critical |
2018-03-13 |
| Cross-origin resource sharing misconfig |
Improper Authentication - Generic |
asad_anwar |
Low |
2018-03-13 |
| Security misconfiguration "weak passwords". |
Violation of Secure Design Principles |
whitehatmmalam |
Medium |
2018-03-13 |
| Insecure Direct Object Reference on API without API key |
None supplied |
scraps |
High |
2018-03-13 |
| Single Sing On - Clickjacking |
UI Redressing (Clickjacking) |
r0p3 |
Low |
2018-02-21 |
| Reflected XSS using Header Injection |
Cross-site Scripting (XSS) - Reflected |
inferno- |
Low |
2018-01-18 |
| Cross-origin resource sharing |
None supplied |
sureshbudharapu |
High |
2018-01-11 |
| Following links are vulnerable to clickjacking |
UI Redressing (Clickjacking) |
karma1 |
Low |
2018-01-11 |
| subdomain takeover at news-static.semrush.com |
None supplied |
0ways |
High |
2018-01-10 |
| Cross-origin resource sharing misconfig | steal user information |
None supplied |
bughunterboy |
Medium |
2017-12-17 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles