Submit finding

All systems

XBOW Platform

XBOW

An autonomous AI-driven penetration-testing platform with public bug-bounty milestones and self-reported Microsoft critical RCE credits.

3
Indexed entries
3
CVE IDs tracked
3
Critical/high entries
84%
Evidence index

What it is

XBOW describes itself as a fully autonomous AI-driven penetration tester. The public record includes bug-bounty milestones on HackerOne and a March/April 2026 write-up claiming autonomous discovery of three critical Microsoft remote-code-execution vulnerabilities.

What is verified

The CVEs in this index are real Microsoft/NVD records. XBOW’s role is sourced to XBOW’s own publication rather than to the NVD pages, so Bugflation labels those entries as self-reported AI attribution.

That distinction is intentional. Self-reported AI attribution can still be important, especially when the CVE and vendor fix are public. It is not the same evidence class as an upstream advisory crediting the system directly.

Why it matters

XBOW is the public bridge between AI-assisted code review and autonomous black-box penetration testing. Whether every marketing claim proves durable is a separate question. The observable signal is that bug-bounty platforms and major vendors are now handling high-impact reports produced with substantial agentic automation.

Sources

Attributed findings

Catalogued entries credited to XBOW.

ID Title System Disclosed Severity
CVE-2026-32191 Microsoft Bing Images OS command injection credited by XBOW OS command injection -> remote code execution - self-reported XBOW Mar 19, 2026 critical CVE-2026-32194 Microsoft Bing Images command injection credited by XBOW Command injection -> remote code execution - self-reported XBOW Mar 19, 2026 critical CVE-2026-21536 Microsoft Devices Pricing Program critical RCE credited by XBOW Remote code execution - self-reported XBOW Mar 5, 2026 critical