Vulnerability Encyclopedia
understand, detect, remediate
A practical reference for security professionals. Each entry covers what the vulnerability is, how to find it, and how to fix it, with CVSS scoring, compliance mapping, and detection guidance.
No credit card required. Free plan available forever.
72 vulnerabilities
SQL Injection
SQL injection allows attackers to manipulate database queries through unsanitised user input, potentially leading to full data breaches, authentication bypass, and remote code execution.
Read moreOS Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the host server by injecting malicious input into application functions that pass data to system shells.
Read moreInsecure Deserialization
Insecure deserialization allows attackers to manipulate serialised objects to achieve remote code execution, privilege escalation, or injection attacks when the application deserialises untrusted data.
Read moreJWT Security Vulnerabilities
JWT vulnerabilities include weak signing algorithms, missing expiration claims, the "none" algorithm bypass, and algorithm confusion attacks that can lead to authentication bypass and token forgery.
Read moreDefault Credentials
Default credentials provide attackers with immediate, unauthenticated access to systems and applications. They are among the first things automated scanners and botnets check.
Read moreHardcoded Secrets
Hardcoded secrets (API keys, passwords, tokens, and private keys embedded in source code) are a leading cause of data breaches when code is shared, committed to repositories, or decompiled.
Read moreRemote Code Execution (RCE)
Remote code execution lets attackers run arbitrary commands on your server by exploiting code injection flaws, unsafe deserialization, or unpatched dependencies, often leading to full system compromise.
Read moreBuffer Overflow
Buffer overflow vulnerabilities occur when a program writes data beyond the bounds of allocated memory, allowing attackers to corrupt data, crash applications, or execute arbitrary code.
Read moreAuthentication Bypass
Authentication bypass lets attackers access protected resources without valid credentials by exploiting logic flaws, default accounts, weak tokens, or missing auth checks on API endpoints.
Read moreServer-Side Template Injection
SSTI occurs when user input is embedded directly into server-side template code, allowing attackers to inject template expressions that execute arbitrary code on the server.
Read moreCross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, credential theft, and defacement.
Read moreServer-Side Request Forgery (SSRF)
SSRF allows attackers to make the server send requests to internal services, cloud metadata endpoints, or other restricted resources, potentially leading to data exfiltration or remote code execution.
Read moreInsecure Direct Object Reference (IDOR)
IDOR occurs when an application exposes internal object references without authorisation checks, allowing attackers to access or modify other users' data by simply changing a parameter value.
Read moreBroken Authentication
Broken authentication encompasses weaknesses in login mechanisms (weak brute-force protection, predictable tokens, insecure password recovery) that allow attackers to compromise user accounts.
Read moreSensitive Data Exposure
Sensitive data exposure occurs when applications inadvertently leak PII, credentials, API keys, or internal details through responses, logs, error messages, or insecure storage.
Read morePath Traversal
Path traversal (directory traversal) allows attackers to access files and directories outside the intended web root by manipulating file path references with sequences like "../".
Read moreXML External Entity (XXE) Injection
XXE injection exploits misconfigured XML parsers to read local files, perform SSRF, or cause denial of service through entity expansion attacks.
Read moreCORS Misconfiguration
CORS misconfiguration occurs when overly permissive cross-origin resource sharing policies allow malicious websites to read sensitive data from your application on behalf of authenticated users.
Read moreSubdomain Takeover
Subdomain takeover occurs when a DNS record points to a deprovisioned cloud resource, allowing attackers to claim the resource and serve malicious content on a trusted subdomain.
Read moreUnrestricted File Upload
Unrestricted file upload vulnerabilities allow attackers to upload malicious files (web shells, scripts, or executables) that can lead to remote code execution on the server.
Read moreSession Fixation & Session Management
Session fixation allows attackers to set a user's session ID before authentication, gaining access to the authenticated session. Weak session management amplifies the risk.
Read moreVulnerable & Outdated Dependencies
Using libraries and frameworks with known vulnerabilities is one of the most common security risks. Attackers actively exploit published CVEs in outdated dependencies.
Read moreBroken Access Control
Broken access control, the #1 OWASP Top 10 category, allows users to act outside their intended permissions, accessing other users' data or performing unauthorised administrative actions.
Read moreCloud Storage Misconfiguration
Misconfigured cloud storage buckets (AWS S3, Google Cloud Storage, Azure Blob) with public access are a leading cause of large-scale data breaches, exposing sensitive files to the internet.
Read morePrivilege Escalation
Privilege escalation occurs when an attacker gains access to resources or functionality beyond their authorized level, either by accessing other users' data (horizontal) or elevating to admin roles (vertical).
Read moreDenial of Service (DoS)
Denial of service attacks exhaust application resources through crafted requests, algorithmic complexity abuse, or resource flooding, making your service unavailable to legitimate users.
Read morePrototype Pollution
Prototype pollution lets attackers inject properties into JavaScript Object prototypes through unsafe merge or clone operations, potentially leading to XSS, RCE, or denial of service.
Read moreNoSQL Injection
NoSQL injection exploits applications that pass unsanitised input to NoSQL database queries, allowing attackers to bypass authentication, extract data, or manipulate query logic using operators like $gt, $ne, and $regex.
Read moreHTTP Request Smuggling
HTTP request smuggling exploits discrepancies between how front-end proxies and back-end servers parse HTTP requests, allowing attackers to smuggle malicious requests that bypass security controls.
Read moreRace Condition (TOCTOU)
Race conditions exploit timing gaps between checking a condition and using the result, allowing attackers to send parallel requests that bypass limits, duplicate transactions, or corrupt application state.
Read moreMass Assignment
Mass assignment occurs when an application automatically binds request parameters to internal data models without filtering, letting attackers modify protected fields like roles, prices, or permissions.
Read moreWeb Cache Poisoning
Web cache poisoning manipulates caching systems by injecting malicious content through unkeyed inputs (headers, cookies), causing the poisoned response to be served to every subsequent visitor.
Read moreWeb Cache Deception
Web cache deception tricks an intermediate cache (CDN, reverse proxy, or load balancer) into storing a private, authenticated response under a URL that looks static, so any subsequent visitor can retrieve another user's data by requesting the same path.
Read moreGraphQL Vulnerabilities
GraphQL APIs introduce unique security risks including introspection leaks, deeply nested query attacks, batching abuse, and field-level authorization gaps that can expose sensitive data or crash servers.
Read moreLDAP Injection
LDAP injection manipulates directory service queries by injecting special characters into unsanitised input, allowing attackers to bypass authentication, enumerate users, or extract directory data.
Read moreLocal File Inclusion (LFI/RFI)
File inclusion vulnerabilities let attackers read arbitrary server files (LFI) or load external malicious scripts (RFI) by manipulating file path parameters, potentially leading to credential theft or remote code execution.
Read moreBusiness Logic Flaws
Business logic flaws exploit gaps between intended application behaviour and actual implementation, allowing attackers to bypass workflows, manipulate pricing, skip validation steps, or abuse functionality in unintended ways.
Read moreOAuth Misconfiguration
OAuth misconfigurations, including open redirect URIs, missing state parameters, and implicit flow token exposure, enable attackers to steal authorization codes, hijack accounts, and access protected resources.
Read moreBroken Object Level Authorization (BOLA)
BOLA is the API-context authorization failure where an endpoint accepts an object identifier and returns the resource without verifying that the caller is allowed to read or modify that specific object. Ranked first on the OWASP API Security Top 10 (API1:2023), BOLA is the most common API vulnerability and the most damaging when it leaks tenant data.
Read moreRegex Denial of Service (ReDoS)
Regex denial of service (CWE-1333) abuses catastrophic backtracking in poorly written regular expressions. A single crafted string of a few hundred characters can pin a CPU core for minutes, freezing request handlers, exhausting worker pools, and taking the application offline without any traffic flood.
Read morePrompt Injection
Prompt injection lets an attacker override the developer's instructions to a large language model by smuggling adversarial content into the prompt or into context the model later reads. It is ranked LLM01 on the OWASP Top 10 for LLM Applications and is the most common finding in LLM-backed product pentests.
Read morePassword Reset Poisoning
Password reset poisoning lets an attacker rewrite the domain in a victim's reset email by manipulating the Host or X-Forwarded-Host header. The reset token is generated against a real account but delivered as a link to an attacker-controlled domain, leading to silent account takeover without any credential phishing.
Read moreWebSocket Security
WebSocket flaws live in the gap between a single authorised upgrade and a long-lived bidirectional channel. Missing origin validation enables cross-site WebSocket hijacking. Missing per-message authorisation lets a low-privileged session reach privileged actions. Missing rate limits and frame-size caps turn a single socket into a denial-of-service primitive.
Read moreDOM Clobbering
DOM clobbering shadows global properties on window and document by injecting HTML elements with controlled id and name attributes. The technique bypasses HTML sanitisers and Content Security Policy because no script tag or event handler is required: page JavaScript reads what it thinks is configuration and instead reads attacker-controlled DOM references.
Read moreXPath Injection
XPath injection manipulates queries against XML data stores by injecting filter syntax into unsanitised input. Login forms backed by XML user files, configuration lookups, and legacy enterprise apps that rely on XQuery or XPath expressions can leak the full document, bypass authentication, or surface admin-only nodes when input is concatenated into the query string.
Read moreWeak Cryptography
Weak cryptography covers any application-layer cryptographic choice that fails to deliver its security guarantee: MD5 or SHA1 used for password hashing or signatures, AES in ECB mode, predictable initialisation vectors, hardcoded keys, weak key lengths, JWTs accepting the none algorithm, and Math.random used as a security primitive. The data may be encrypted on paper, but the protection is illusory once an attacker recognises the weakness.
Read moreParameter Tampering
Parameter tampering is the manipulation of values that travel between client and server (hidden fields, query strings, POST bodies, cookies, and headers) to make the server act on values it should never have trusted. The best-known shape is shopping-cart price tampering, but the class spans privilege flips, identifier swaps, currency switches, quantity overflows, and feature-flag toggles. The bug is not the manipulation; it is the server choosing to trust a client-controlled value.
Read morePadding Oracle Attack
A padding oracle attack lets an attacker decrypt or forge ciphertext one byte at a time by submitting modified ciphertexts and observing whether the server reports a padding error or another distinguishable response. The cipher is real, the key is secret, but the server still leaks plaintext because it discloses, through error messages or timing, whether the decrypted padding was valid. The bug is not the encryption; it is the oracle.
Read moreSecond-Order SQL Injection
Second-order SQL injection (also called stored or persistent SQL injection) stores a tainted value through one safe-looking endpoint, then triggers the injection on a later query that reads the stored value into an unsafe SQL string. The vulnerable sink is rarely the endpoint that took the input. Standard reflected SQLi tests miss it because the payload does not fire until a different code path runs.
Read moreXSS via SVG File Upload
SVG is an XML-based image format that supports script tags, event handlers, and external references. When an application accepts SVG uploads and serves them back inline from an origin that holds session state, every uploaded file becomes a stored XSS payload that runs as the victim user. The vulnerability lives in the rendering contract, not in the upload form.
Read moreSMTP Header Injection
SMTP injection turns a contact form, signup confirmation, or password reset endpoint into an attacker-controlled mail relay. By injecting carriage return and line feed sequences into a user-controlled field that ends up in an email header, an attacker adds extra recipients, replaces the subject, rewrites the From address, or drops a fully-formed message body that the application sends from its own infrastructure. The vulnerability lives in the mail-building step, not in the mail server.
Read moreInsecure Randomness
Insecure randomness covers any security-sensitive value generated by a non-cryptographic random number generator. Session identifiers from Math.random, password reset tokens from java.util.Random, OAuth state from rand(), or CSRF tokens seeded from a process timestamp all share the same shape: the algorithm is deterministic, the seed is recoverable, and an attacker who watches a few outputs can predict the next one. The library call returns a random-looking number; the security guarantee never lands.
Read moreBroken Function Level Authorization (BFLA)
BFLA is the function-level authorization failure where a privileged or administrative API endpoint accepts a request from a caller that should not be allowed to invoke it. Authentication passes and the route resolves, but the role, scope, or tenant check that should gate the action is missing or only enforced in the UI. Ranked fifth on the OWASP API Security Top 10 (API5:2023), BFLA is the action-level analogue of BOLA and a frequent path to vertical privilege escalation in modern multi-tenant APIs.
Read moreBroken Object Property Level Authorization (BOPLA)
BOPLA is the field-level authorisation failure inside an object the caller is otherwise allowed to access. The route resolves, the object loads, and the wrong fields come back on a read or get accepted on a write. Ranked third on the OWASP API Security Top 10 (API3:2023), BOPLA absorbs the older Excessive Data Exposure (read side) and Mass Assignment (write side) categories and is one of the quietest paths to silent privilege escalation in modern multi-tenant APIs.
Read moreCross-Site Request Forgery (CSRF)
CSRF tricks authenticated users into submitting unintended requests, allowing attackers to change account settings, transfer funds, or modify data without the user's knowledge.
Read moreSecurity Misconfiguration
Security misconfiguration is one of the most common vulnerability categories. Missing security headers, default credentials, verbose error messages, and unnecessary services expose applications to attack.
Read moreOpen Redirect
Open redirect vulnerabilities allow attackers to redirect users from a trusted domain to a malicious site, enabling phishing attacks that leverage the trust of the vulnerable domain.
Read moreTLS/SSL Misconfiguration
TLS/SSL misconfigurations (deprecated protocols, weak ciphers, expired certificates, and missing HSTS) expose encrypted communications to interception and downgrade attacks.
Read moreMissing Security Headers
Missing HTTP security headers leave applications vulnerable to clickjacking, XSS, MIME sniffing, and other client-side attacks that are easily prevented with proper header configuration.
Read moreWeak Password Policy
Weak password policies permit short or simple passwords that are easily guessed or cracked through brute-force, dictionary, or credential stuffing attacks.
Read moreMissing Rate Limiting
Missing rate limiting allows attackers to send unlimited requests to sensitive endpoints, enabling brute-force attacks, credential stuffing, account enumeration, and denial of service.
Read moreDNS Misconfiguration
DNS misconfigurations (missing or incorrect SPF, DKIM, and DMARC records) allow attackers to spoof your domain in phishing emails, damaging reputation and enabling social engineering.
Read moreClickjacking (UI Redress)
Clickjacking tricks users into clicking hidden UI elements by overlaying a transparent iframe on a malicious page, enabling unauthorized actions like changing account settings or initiating transfers.
Read moreHost Header Injection
Host header injection exploits applications that trust the HTTP Host header for URL generation, enabling password reset poisoning, cache poisoning, and server-side request routing manipulation.
Read moreCRLF Injection
CRLF injection inserts carriage return and line feed characters into HTTP responses, allowing attackers to split responses, inject headers, set malicious cookies, or enable cross-site scripting.
Read moreInsufficient Logging and Monitoring
Insufficient logging and monitoring (OWASP A09:2021) leaves authentication failures, access control violations, and exploit attempts invisible to defenders. Without an audit trail and active alerting, breaches go undetected long enough for attackers to pivot, persist, and exfiltrate.
Read moreHTTP Parameter Pollution (HPP)
HTTP parameter pollution exploits the disagreement between WAFs, reverse proxies, and applications about which copy of a duplicated parameter to honour, enabling authorisation bypass, WAF evasion, redirect override, and rate limit evasion across the request path.
Read moreCSV Injection (Formula Injection)
CSV injection lets an attacker plant spreadsheet formulas inside data that the application later exports as a CSV, XLSX, or TSV file. When a user opens the export in Excel, LibreOffice Calc, or Google Sheets, the formula executes inside the spreadsheet, leading to data exfiltration, hyperlink phishing, and, on legacy DDE-enabled clients, command execution on the analyst workstation.
Read moreUsername Enumeration
Username enumeration is a discrepancy in application responses that lets an unauthenticated attacker decide whether a given username, email, or phone number belongs to a real account. The login form returns a different error for a known account, the signup form rejects an email that already exists, the password reset flow takes longer when the address resolves, or the MFA prompt only appears after a valid first-factor. Each one is a small leak; together they hand an attacker a clean list of valid accounts to target with credential stuffing, password spraying, phishing, and reset-flow abuse.
Read moreHTML Injection
HTML injection (CWE-80) is any condition where an application reflects attacker-controlled markup into the rendered HTML of a page without first encoding it for the HTML context. The vulnerability sits next to but distinct from XSS: HTML injection covers the markup-injection root, XSS adds JavaScript execution. When a WAF blocks script tags but lets iframes, anchors, or styles through, the result is in-domain phishing, brand defacement, dangling-markup data exfiltration, and the conditions for chaining into clickjacking or open-redirect attacks.
Read moreDirectory Listing
Directory listing reveals the contents of web server directories to anyone who requests them, potentially exposing backup files, configuration files, source code, and other sensitive data.
Read moreInformation Disclosure
Information disclosure through verbose error messages, stack traces, server banners, and debug pages gives attackers valuable intelligence about your application's internals and attack surface.
Read moreDetect vulnerabilities automatically
SecPortal scans for all these vulnerabilities with 33+ built-in modules. External scanning, authenticated testing, and code analysis. Start free.
No credit card required. Free plan available forever.