Skip to content

Vulnerability Database

Every vulnerability Vezraa checks for — with full descriptions, real-world impact, and fix examples. Sourced from OWASP, CWE, and IBM security research.

Supabase RLS Misconfiguration

CRITICALCWE-284

Row Level Security (RLS) is disabled on Supabase tables, allowing unauthenticated users to read, insert, update, or delete data directly via the public anon key.

Database SecuritySupabasePostgreSQLNext.js

Exposed API Key in JS Bundle

CRITICALCWE-798

API keys, secrets, or tokens are hardcoded in client-side JavaScript and visible in the browser bundle via DevTools.

Secret ExposureNext.jsReactVue

Missing Content Security Policy

HIGHCWE-1021

Your app does not send a Content-Security-Policy header, leaving it vulnerable to XSS and data injection attacks.

Security HeadersAll web apps

Missing HSTS Header

HIGHCWE-319

Your app does not include the Strict-Transport-Security header, allowing attackers to downgrade connections from HTTPS to HTTP.

Security HeadersAll web apps

Missing X-Frame-Options Header

MEDIUMCWE-1021

Your app does not send the X-Frame-Options header, making it possible for attackers to embed your site in an iframe and conduct clickjacking attacks.

Security HeadersAll web apps

Admin Route Without Authentication

CRITICALCWE-306

Admin or management routes are accessible without any authentication check, allowing anyone to access privileged functionality.

AuthenticationNext.jsReactVue

Razorpay Webhook Without Signature Verification

CRITICALCWE-345

Your Razorpay webhook endpoint does not verify the webhook signature, allowing attackers to forge payment events.

Payment SecurityRazorpayNext.jsExpress

Stripe Webhook Without Signature Verification

CRITICALCWE-345

Your Stripe webhook endpoint does not verify the Stripe-Signature header, allowing attackers to forge payment events.

Payment SecurityStripeNext.jsExpress

CORS Wildcard Misconfiguration

HIGHCWE-942

Your API responds with Access-Control-Allow-Origin: *, allowing any website to make authenticated requests to your API.

API SecurityExpressFastifyNext.js API

Subdomain Takeover via CNAME

HIGHCWE-350

A CNAME record points to an external service that is no longer provisioned, allowing attackers to claim the subdomain and host content under your domain.

DNS SecurityDNSVercelNetlify

SQL Injection via Unsanitized Input

CRITICALCWE-89

User input is concatenated directly into SQL queries without parameterization, allowing attackers to manipulate query logic.

InjectionExpressPHPRaw SQL queries

XSS via DOM Manipulation

HIGHCWE-79

User-controlled data is inserted into the DOM using innerHTML, dangerouslySetInnerHTML, or v-html without sanitization.

InjectionReactVueAngular

IDOR — Insecure Direct Object Reference

HIGHCWE-639

API endpoints accept user-supplied IDs without verifying ownership, allowing users to access other users' resources by changing an ID parameter.

Access ControlNext.jsExpressREST APIs

JWT 'None' Algorithm Attack

CRITICALCWE-345

Your JWT verification library accepts tokens signed with the 'none' algorithm, allowing attackers to forge valid tokens without knowing the secret.

AuthenticationJWTNode.jsPython

Password in Query String

HIGHCWE-319

Sensitive data such as passwords or tokens are transmitted in URL query strings, where they are logged by servers, proxies, and analytics.

Secret ExposureAll web apps

Sensitive Data in LocalStorage

MEDIUMCWE-312

Sensitive information such as auth tokens, API keys, or PII is stored in localStorage where it is accessible to any JavaScript running on the page.

Client-Side SecurityAll SPAsReactVue

Open Redirect Vulnerability

MEDIUMCWE-601

Your app accepts a redirect URL parameter and forwards users to it without validation, enabling phishing attacks.

Input ValidationNext.jsExpressAll backends

CSRF — Missing Anti-Forgery Token

HIGHCWE-352

Your state-changing endpoints do not require CSRF tokens, allowing attackers to forge requests on behalf of authenticated users.

AuthenticationExpressREST APIsCookies-based auth

Rate Limiting Not Enforced on LLM Endpoint

HIGHCWE-770

LLM-powered endpoints lack rate limiting, allowing attackers to exhaust your API quota and rack up massive bills.

AI SecurityOpenAIAnthropicLLM APIs

Prompt Injection in AI App

CRITICALCWE-77

Your AI application does not sanitize user input for prompt injection attacks, allowing users to override system instructions.

AI SecurityOpenAIAnthropicLLM apps

OWASP LLM01 — Prompt Injection

CRITICALCWE-77

Direct or indirect prompt injection vulnerabilities allow attackers to manipulate LLM behavior by injecting malicious instructions into user input or external data.

AI SecurityOpenAIAnthropicGoogle AI

OWASP LLM02 — Insecure Output Handling

HIGHCWE-116

LLM-generated output is rendered without sanitization, potentially allowing XSS or code execution if the LLM produces malicious output.

AI SecurityAll LLM appsNext.jsReact

OWASP LLM06 — Sensitive Information Disclosure

HIGHCWE-200

Your LLM application leaks system prompts, API keys, database schemas, or other sensitive information in its responses.

AI SecurityAll LLM apps

SPF Record Missing

MEDIUMCWE-345

Your domain lacks an SPF DNS record, allowing attackers to send forged emails that appear to come from your domain.

Email SecurityDNSEmail

DMARC Record Missing

MEDIUMCWE-345

Your domain lacks a DMARC policy, meaning receiving mail servers have no guidance on handling unauthenticated emails from your domain.

Email SecurityDNSEmail

DKIM Not Configured

MEDIUMCWE-345

Your domain lacks DKIM (DomainKeys Identified Mail) signing, meaning outgoing emails cannot be cryptographically verified as authentic.

Email SecurityDNSEmail

NPM Dependency With Known CVE

HIGHCWE-1104

Your project depends on npm packages with publicly known vulnerabilities (CVEs) that have available fixes.

Supply ChainNode.jsNPM

Exposed Next.js API Route

HIGHCWE-306

A Next.js API route exposes sensitive data or functionality without proper authentication or rate limiting.

API SecurityNext.js

Debug Mode Enabled in Production

MEDIUMCWE-489

Debug or development mode is enabled in production, exposing detailed error pages, stack traces, and configuration information.

ConfigurationNext.jsExpressDjango

Firebase Rules Open to World

CRITICALCWE-284

Your Firebase/Firestore security rules allow read/write access to unauthenticated users, exposing your entire database.

Database SecurityFirebaseFirestore
Vulnerability Database | Vezraa