Vulnerability Database
Every vulnerability Vezraa checks for — with full descriptions, real-world impact, and fix examples. Sourced from OWASP, CWE, and IBM security research.
Supabase RLS Misconfiguration
CRITICALCWE-284Row Level Security (RLS) is disabled on Supabase tables, allowing unauthenticated users to read, insert, update, or delete data directly via the public anon key.
Exposed API Key in JS Bundle
CRITICALCWE-798API keys, secrets, or tokens are hardcoded in client-side JavaScript and visible in the browser bundle via DevTools.
Missing Content Security Policy
HIGHCWE-1021Your app does not send a Content-Security-Policy header, leaving it vulnerable to XSS and data injection attacks.
Missing HSTS Header
HIGHCWE-319Your app does not include the Strict-Transport-Security header, allowing attackers to downgrade connections from HTTPS to HTTP.
Missing X-Frame-Options Header
MEDIUMCWE-1021Your app does not send the X-Frame-Options header, making it possible for attackers to embed your site in an iframe and conduct clickjacking attacks.
Admin Route Without Authentication
CRITICALCWE-306Admin or management routes are accessible without any authentication check, allowing anyone to access privileged functionality.
Razorpay Webhook Without Signature Verification
CRITICALCWE-345Your Razorpay webhook endpoint does not verify the webhook signature, allowing attackers to forge payment events.
Stripe Webhook Without Signature Verification
CRITICALCWE-345Your Stripe webhook endpoint does not verify the Stripe-Signature header, allowing attackers to forge payment events.
CORS Wildcard Misconfiguration
HIGHCWE-942Your API responds with Access-Control-Allow-Origin: *, allowing any website to make authenticated requests to your API.
Subdomain Takeover via CNAME
HIGHCWE-350A CNAME record points to an external service that is no longer provisioned, allowing attackers to claim the subdomain and host content under your domain.
SQL Injection via Unsanitized Input
CRITICALCWE-89User input is concatenated directly into SQL queries without parameterization, allowing attackers to manipulate query logic.
XSS via DOM Manipulation
HIGHCWE-79User-controlled data is inserted into the DOM using innerHTML, dangerouslySetInnerHTML, or v-html without sanitization.
IDOR — Insecure Direct Object Reference
HIGHCWE-639API endpoints accept user-supplied IDs without verifying ownership, allowing users to access other users' resources by changing an ID parameter.
JWT 'None' Algorithm Attack
CRITICALCWE-345Your JWT verification library accepts tokens signed with the 'none' algorithm, allowing attackers to forge valid tokens without knowing the secret.
Password in Query String
HIGHCWE-319Sensitive data such as passwords or tokens are transmitted in URL query strings, where they are logged by servers, proxies, and analytics.
Sensitive Data in LocalStorage
MEDIUMCWE-312Sensitive information such as auth tokens, API keys, or PII is stored in localStorage where it is accessible to any JavaScript running on the page.
Open Redirect Vulnerability
MEDIUMCWE-601Your app accepts a redirect URL parameter and forwards users to it without validation, enabling phishing attacks.
CSRF — Missing Anti-Forgery Token
HIGHCWE-352Your state-changing endpoints do not require CSRF tokens, allowing attackers to forge requests on behalf of authenticated users.
Rate Limiting Not Enforced on LLM Endpoint
HIGHCWE-770LLM-powered endpoints lack rate limiting, allowing attackers to exhaust your API quota and rack up massive bills.
Prompt Injection in AI App
CRITICALCWE-77Your AI application does not sanitize user input for prompt injection attacks, allowing users to override system instructions.
OWASP LLM01 — Prompt Injection
CRITICALCWE-77Direct or indirect prompt injection vulnerabilities allow attackers to manipulate LLM behavior by injecting malicious instructions into user input or external data.
OWASP LLM02 — Insecure Output Handling
HIGHCWE-116LLM-generated output is rendered without sanitization, potentially allowing XSS or code execution if the LLM produces malicious output.
OWASP LLM06 — Sensitive Information Disclosure
HIGHCWE-200Your LLM application leaks system prompts, API keys, database schemas, or other sensitive information in its responses.
SPF Record Missing
MEDIUMCWE-345Your domain lacks an SPF DNS record, allowing attackers to send forged emails that appear to come from your domain.
DMARC Record Missing
MEDIUMCWE-345Your domain lacks a DMARC policy, meaning receiving mail servers have no guidance on handling unauthenticated emails from your domain.
DKIM Not Configured
MEDIUMCWE-345Your domain lacks DKIM (DomainKeys Identified Mail) signing, meaning outgoing emails cannot be cryptographically verified as authentic.
NPM Dependency With Known CVE
HIGHCWE-1104Your project depends on npm packages with publicly known vulnerabilities (CVEs) that have available fixes.
Exposed Next.js API Route
HIGHCWE-306A Next.js API route exposes sensitive data or functionality without proper authentication or rate limiting.
Debug Mode Enabled in Production
MEDIUMCWE-489Debug or development mode is enabled in production, exposing detailed error pages, stack traces, and configuration information.
Firebase Rules Open to World
CRITICALCWE-284Your Firebase/Firestore security rules allow read/write access to unauthenticated users, exposing your entire database.