A 16-year-old high school security researcher discovered a critical cross-site scripting (XSS) vulnerability in the AI documentation platform Mintlify, which could allow attackers to steal user credentials through malicious scripts. The vulnerability affected several major tech companies including Discord, X (Twitter), Vercel, and Cursor. The researcher successfully exploited the static file serving functionality to bypass security restrictions by embedding malicious scripts in SVG files after analyzing Mintlify’s API endpoints. This incident reveals the security risks in AI tool supply chains, demonstrating the cascading effects that a single component vulnerability can trigger. The researcher has responsibly disclosed the vulnerability to affected companies and received a total of approximately $11,000 in security bounties.
Original link:Hacker News





