We have reviewed CVE-2026-31431 and assessed its impact on our environment.

This vulnerability requires local user access to be exploited. Our production infrastructure is provisioned and managed entirely through Terraform (Infrastructure-as-Code), and we do not provision local user accounts on our servers or permit interactive local access. As a result, the practical exploitability of this vulnerability in our environment is significantly reduced.

We are actively monitoring the Amazon Linux Security Advisory (ALAS) channel for the official patched kernel. Once AWS publishes the remediated kernel, we will apply it through our standard patching process promptly and in line with our vulnerability management SLAs.

We will continue to monitor for any updates to this CVE and adjust our response if the threat profile changes. Please reach out to our security team if you have any further questions.

We have reviewed the recent Cisco security advisory (cisco-sa-sdwan-rpa-EHchtZk) regarding an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage).

After validation against our asset inventory and network architecture, we confirm that HackerRank does not utilize Cisco Catalyst SD-WAN solutions within our environment. As such, this vulnerability is not applicable to our infrastructure and no remediation actions are required at this time. We will continue to monitor vendor advisories and maintain routine validation against our technology stack as part of our ongoing risk management process.

We are aware of the recently disclosed vulnerability CVE-2026-1731 affecting certain Bomgar (BeyondTrust) remote support appliances.

HackerRank does not utilize Bomgar (BeyondTrust) servers within our production or corporate environments. As such, this vulnerability does not impact our infrastructure.

We continuously monitor emerging security advisories and threat intelligence and proactively assess their relevance to our systems to ensure the ongoing security and integrity of our platform.

If you have any additional questions regarding our security posture, please contact our Security team at security@hackerrank.com.

HackerRank has completed its assessment of the recently disclosed React (CVE-2025-55182) and Next.js (CVE-2025-66478) vulnerabilities, both rated with the highest severity score of 10.

After thoroughly reviewing our systems, we confirmed that HackerRank does not use React Server Components or Next.js Server Components, which are the areas affected by these vulnerabilities. Our platform relies solely on client-side React, and no server-side code execution paths are exposed.

As an added precaution, we have also updated all React and Next.js dependencies to the latest safe, patched versions recommended by the framework maintainers.

Based on our architecture and these proactive updates, we have determined that HackerRank is not impacted by these vulnerabilities. We continue to monitor upstream security advisories to ensure the ongoing safety and reliability of our platform.

On November 27, 2025, Mixpanel publicly disclosed a security incident involving unauthorized access to portions of their systems and limited exposure of customer analytics data.

HackerRank does not use Mixpanel in any capacity across our products, services, infrastructure, or internal analytics.

As Mixpanel is not part of HackerRank’s technology stack or vendor ecosystem:

•    **No HackerRank systems were affected**  
•    **No HackerRank customer or candidate data was exposed**.  
•    **No action is required from HackerRank customers or users**

We are sharing this update to maintain transparency and to proactively reassure our customers and partners that this incident has no impact on HackerRank.

HackerRank remains committed to stringent security practices, continuous monitoring of our vendors, and maintaining the highest standards of data protection and privacy.

For any questions, please contact: security@hackerrank.com

A recent major security vulnerability was discovered with the data transfer utility MoveIT. We would like to bring to your attention that we do not utilize this software in our organization, we understand that some of our customers may have concerns or questions about its potential impact.

The vulnerability, tracked as CVE-2023-34362, is a zero-day vulnerability that can be exploited by malicious actors to steal data from organizations using MoveIT Transfer. It is important to note that this vulnerability is not related to any of our products or services. However, as part of our commitment to maintaining a transparent and secure environment for our customers, we have decided to publish this announcement to provide you with relevant information.

Please feel free to reach out to us at security@hackerrank.com if you have any questions or concerns.