I spent over an hour testing TestSprite website, dashboard, and docs. Found 12 bugs total — 6 on public pages, 6 after logging into the dashboard.
PART 1: Public Website Bugs (No Login Required)
Bug 1: Changlog Typo in Site-Wide Footer (Low)
Location: Footer on every page (testsprite.com)
Expected: Changelog
Actual: Changlog (missing e)
Impact: Appears on every page. Unprofessional for a QA company.
Bug 2: Inconsistent X/Twitter URLs (Medium)
Location: Navigation bar vs. footer
Actual: Nav uses https://x.com/Test_Sprite, footer uses https://x.com/test_sprite?s=21. Different casing and tracking params.
Bug 3: Hackathon Footer Links to Wrong Page (Medium)
Location: Footer Hackathon link
Expected: /hackathon-s2 (current hackathon)
Actual: /hackathon (may 404)
Bug 4: Two Different Discord Invite Links (Low)
Docs footer: discord.gg/QQB9tJ973e
Website footer: discord.com/invite/GXWFjCe4an
Impact: Users may end up in different servers.
Bug 5: Blog URL Contains Parentheses (Low)
Issue: Blog post URL has parentheses in slug, which can break URL parsers and SEO.
Bug 6: Duplicate Anchor IDs on Job Listings (Low)
Location: About page - Open Positions
Actual: All Learn More buttons share the same anchor ID #1173457374.
PART 2: Dashboard Bugs (Login Required)
Bug 7: Stored XSS in Profile Fields (High)
Location: Dashboard > Settings > Profile
Steps: Enter XSS payloads in First name, Last name, and Company fields. Save changes.
Actual: All three fields accept raw XSS payloads without server-side sanitization:
- First name: script tag payload
- Last name: img onerror payload
- Company: svg onload payload Note: React escapes rendering client-side, but stored unsanitized XSS is a security risk for API consumers and email notifications. Severity: High
Bug 8: XSS in API Key Name (Medium)
Location: Dashboard > Settings > API Keys
Steps: Create a new API key with script tag as the name.
Actual: API key name field accepts XSS payloads. Displayed raw in the keys table.
Bug 9: XSS in Test Name (Medium)
Location: Create Tests flow > Step 1
Steps: Enter XSS payload as test name.
Actual: Test name field accepts raw script tags. No input validation.
Bug 10: Inconsistent Yearly Discount (Low)
Public pricing page: Save 30%
Dashboard billing page: Save 35%
Impact: Confusing for users deciding on a plan.
Bug 11: Dead Billing Overview Link (Low)
Location: Dashboard > Plan & Billing
Text: check your billing overview here
Actual: The here link points to # (does nothing).
Bug 12: False Schedule Limit Warning (Medium)
Location: Dashboard > Monitoring
Alert: Monitoring schedule limit reached. Upgrade now to add more.
Actual: Schedule list is empty (0 schedules created). User cannot create any schedule despite having 0.
Impact: Free plan users see an upgrade prompt for a feature they cannot use at all.
Bonus: Wrong Example File
The Example API doc link in the test creation flow points to a PDF called Introduce_GenreX_API_GenreX_API.pdf. GenreX appears to be a different product, not TestSprite.
Summary Table
| # | Bug | Severity | Location |
|---|---|---|---|
| 1 | Changlog typo | Low | Site-wide footer |
| 2 | Inconsistent X/Twitter URLs | Medium | Nav vs footer |
| 3 | Hackathon footer link broken | Medium | Footer |
| 4 | Two different Discord invites | Low | Docs vs website |
| 5 | Malformed blog URL slug | Low | Blog |
| 6 | Duplicate anchor IDs | Low | About page |
| 7 | Stored XSS in profile fields | High | Dashboard Profile |
| 8 | XSS in API key name | Medium | Dashboard API Keys |
| 9 | XSS in test name | Medium | Create Tests flow |
| 10 | Inconsistent yearly discount | Low | Pricing vs Billing |
| 11 | Dead billing overview link | Low | Dashboard Billing |
| 12 | False schedule limit warning | Medium | Dashboard Monitoring |
Account used: liuxigr@163.com
Testing time: ~60 minutes
Tools: Chrome browser, manual exploration
Tested April 15, 2026 | testsprite.com | docs.testsprite.com
Top comments (0)