403 on /get_all_users404 on /get_all_userzThen Rhynorater fuzzed until a double-encoded “S” slipped past the NGINX filter.✅ 200 on /get_all_user%2573Result: 4.5M users' PII dumped.Bounty: $15K–$20K

403 on /get_all_users
404 on /get_all_userz
Then Rhynorater fuzzed until a double-encoded “S” slipped past the NGINX filter.

✅ 200 on /get_all_user%2573

Result: 4.5M users' PII dumped.
Bounty: $15K–$20K