The following is a write up for after a series of several vulnerabilities found in the Hack Club Clubs Dashboard. These vulnerabilities were found on October 23rd 2025.
I was looking through the Hack Clubs Club Dashboard code after reading a wonderful writeup of another vuln for Clubs by @NeonGamerBot-QK. I noticed that all the code was in a singular 16000+ line main.py file, so I looked through this and found several vulnerabilities.
Hack Club has a amazing security program lead by 3kh0. This allows teenagers to earn money for security vulnerabilities they find in Hack Club code. The vulnerabilities found were reported through the Hack Club Security program.
First the XSS vuln: The clubs dashboard features many user inputs, and especially with a python app Cross Site Scripting (XSS) is a serious risk. The clubs dashboard handles this by featuring a sanitization helper inside the code. This is a great start! It excludes stuff like script tags or other html tags. However, the code is not fullproof in it's sanitization. For example, the attacker can inject <script>alert(String.fromCharCode(69))</script>(which features URI encoded
html tags, in this example making an alertbox with the letter E), and that goes past the sanitizer scotts free. This allows a user to inject code they want into the code.
I also found that the Heidi Bot (an AI support agent in the dashboard) had no sanitization and jailbreak proof, so a user could jailbreak the bot to gain access to the server's python code. This allows the attacker to do practically anything possible in python with the installed packages.
Next the second vulnerability, which featured the ability to add a user to a club's admin without authentication. This works because of the verify-leader page, which checks your email and then looks up your clubs and adds you to clubs you choose. However there's a crucial vulnerability in this flow, involving the backend. While the frontend does checks, the backend has none of these. So sending a POST request to https://dashboard.hackclub.com/verify-leader with the following body:
{
"step": "link_club",
"email": "[email protected]",
"club_name": "Name of Club"
}
would add [email protected] to "Name of Club" club, without any verification needed.
The next one is a very easy way to bypass email verification. Several API routes require email verification, like the make_co_leader API route (which makes a user co-leader, or removes one). This API route should be handled sensitively, and the clubs dashboard does this!
However, there is one crucial flaw, the email_verified param is passed client side. This means an attacker (or malicious user) can send the email_verified param in their final request, allowing them to bypass all email verifications. This allows an unauthorized actor to transfer, delete co leaders and other stuff without needing email verification, which makes email verification useless.
Next, is an endpoint one. It involves the exposure of a public link to a coolify deployment. While not apparently dangerous, when you look at what the endpoint is doing, it can lead to very dangerous misuse. The endpoint (https://yREDACTEDg.a.selfhosted.hackclub.com/invite-to-channel), allows a user to query to it to invite a user to any channel. This allows any user, even if not on the slack to mass invite people to specific channels, which can lead to abuse. (note that someone with a keen eye may realize this change was reverted! this is because that coolify server was taken down and a new change is coming soon to replace that system.)
Finally, is the lack of protection for certain pages when suspended. One good feature of the dashboard is suspensions. It allows admins to ban users who are misusing the user or banned from the platform, or in my case testing out vulns (like XSS). After one of my queries, the automod suspended me. Which is good in practice!
However, if I go to the /gallery page, the site is not showing the suspension warning. It also means I can post to the gallery, which is not good especially if we are considering users who have been suspended (and may be angry after their ban) and can lead to abuse.
After reporting the vulnerability, the clubs team was super helpful and eager to fix it, with one of the team members (who wasn't even an clubs engineer) offering to help patch some of the vulns within 10 minutes of the report
and within an hour, the lead clubs engineer thanked me for the vuln report, and announced a rewrite coming soon (which is long awaited!)
After around a week, I made PRs to fix all the issues, and the lead engineer sent Hack Club socks and a pin for the help (though I lost the pin on a trip to New York within a week lmao). After those were merged, the lead clubs engineer had gone silent regarding all communications around the vulnerability.
Regarding the payout for this vulnerability, after all that the clubs team has not payed me yet (more than a month later) and the lead clubs engineer has not responded to any of the DMs I have made. The security team has estimated a ballpark estimate of $100 for the vulnerability.
- At 2025-10-23 at 16:15 PT, the report was submitted
- At 2025-10-23 at 18:50 PT, the report was sent to the clubs team.
- At 2025-10-23 at 19:01 PT, a staff member from the clubs team responded to the issue
- At 2025-10-26 at 14:06 PT, a PR created by me to remove AI XSS vulns and to remove the public slack API link was merged. (#103)
- At 2025-10-26 at 17:58 PT, a PR created by me to make the gallery page accessible to users logged in, to stop suspended users from accessing the page was merged. (#107)
- At 2025-10-31 at 19:22 PT, a PR created by me to add verification for link_club step, add serverside email verification for critical steps and make better sanitization code was merged. (#108) This resolves all vulnerabilities.
- At 2025-12-5 at 17:01 PT, this writeup went public.
Many commmunity members in Hack Club have criticised the Clubs dashboard for it's use of "vibe coding" and it has been used as the cause for many of the vulnerability reports in club dashboard. From what I found, neglect from the AI coding agent was one of the main causes of the vulnerability. However, I have good news! When the lead clubs eng responded, he also announced that a much needed refactor (and re-organize looking at you 16000+ line python file) was in the works as well! Which is great!
The clubs team was being super helpful in fixing the bugs, and the much-needed re-write of the backend is gonna be very exciting. The idea for a clubs dashboard is really cool and the clubs team did a great job making it UX wise! I can't wait to see it later as it keeps evolving! I have also been informed that the Clubs Dashboard has been depreciated indefinently at the moment.
beautiful, absolute cinema
club dash did go kaboom tho
~ silly fella @ clubs ops