// vulnerability spotlight
Jeder Check, den FixVibe ausführt,
erklärt.
164+ Schwachstellenklassen, die FixVibe abdeckt. Jeder Eintrag führt bis zu 35 Sub-Checks pro Scan aus und erklärt, wie der Bug funktioniert, was ein Angreifer bekommt, wie wir testen und was zur Verteidigung nötig ist.
01 / 07
HTTP & Oberfläche
Session-Cookie-Attribute
HttpOnly, Secure, SameSite — drei Flags, die ein Session-Cookie schwer stehlbar machen.
Spotlight lesen →
HTTP-Security-Header
Header sind kostenlose Verteidigung — die meisten Apps werden trotzdem ohne ausgeliefert.
Spotlight lesen →
TLS-Konfiguration
Alte Cipher-Suites plus fehlendes HSTS heißt: ein feindliches WLAN entfernt vom Session-Hijack.
Spotlight lesen →
Vercel Deployment Protection
Generated deployment URLs should not become public staging doors.
Spotlight lesen →
02 / 07
Secrets
Hartkodierte Secret-Muster
Stripe-Keys, AWS-Credentials, OpenAI-Tokens — Pattern-Matching fängt die einfachen Fehler ab.
Spotlight lesen →
Secrets in JavaScript-Bundles
Wenn es im Client-Bundle gelandet ist, ist es kein Secret — es ist eine Veröffentlichung.
Spotlight lesen →
JWT-Integrität (alg-Confusion, schwache Secrets)
Vertraut dein JWT-Verifier dem Header des Tokens selbst, glaubt er, was der Angreifer eingibt.
Spotlight lesen →
Tokens im Browser-Storage
localStorage ist von JavaScript lesbar. Dort gespeicherte Auth-Tokens sind per Design XSS-stehlbar.
Spotlight lesen →
Offen liegende Source Maps
Wenn deine .map-Dateien öffentlich sind, liest der Angreifer dein TypeScript.
Spotlight lesen →
Informationsleaks in JavaScript
Interne API-Hosts, Versions-Banner, TODO-Kommentare — kleine Leaks ergeben eine Karte deines Stacks.
Spotlight lesen →
03 / 07
Backend-as-a-Service
Firebase Security Rules
`allow read, write: if true` ist gerade jetzt irgendjemandes Production-DB.
Spotlight lesen →
Supabase Row-Level Security
Ohne RLS auf jeder öffentlichen Tabelle ist dein anon-Key ein Freifahrtschein zum Auslesen.
Spotlight lesen →
Clerk- & Auth0-Konfiguration
Identity-Provider leaken mehr als sie sollten, wenn die Defaults nicht gehärtet sind.
Spotlight lesen →
Supabase Storage and API Posture
Public buckets and anon-listable objects are where BaaS data leaks start.
Spotlight lesen →
04 / 07
DNS
Netmaker DNS Key Authorization Bypass
A VPN control-plane DNS API should not trust a legacy default key.
Spotlight lesen →
Subdomain-Übernahme
Ein CNAME, der auf eine nicht beanspruchte Cloud-Ressource zeigt, ist eine Einladung, Phishing auf deiner Domain zu hosten.
Spotlight lesen →
SPF / DKIM / DMARC
Ohne diese drei Records kann jeder E-Mails in deinem Namen senden.
Spotlight lesen →
05 / 07
Discovery
Arcserve UDP Heap Overflow Advisory
Backup management consoles should not expose affected UDP versions.
Spotlight lesen →
Schneider Modicon M221 Firmware Advisory
PLC firmware evidence should drive patch and segmentation review, not reboot or authentication replay tests.
Spotlight lesen →
CVE-Abgleich
Erkannte Version + öffentliche CVE-Datenbank = eine Liste bereits dokumentierter Angriffe.
Spotlight lesen →
Debug- & Admin-Endpunkte
/debug, /admin, /server-status — Pfade, die niemals aus dem Internet erreichbar sein sollten.
Spotlight lesen →
Offen liegende Dateien & Backup-Verzeichnisse
.env, .git, .DS_Store, backup.sql — Dateien, die niemals öffentlich sein sollten, sind es versehentlich.
Spotlight lesen →
Rockwell MicroLogix 1100 DoS Advisory
An exposed PLC fingerprint is an operations risk, not something to crash-test.
Spotlight lesen →
SPIP Template RCE Version Exposure
Public SPIP version banners can reveal an RCE-class patch gap.
Spotlight lesen →
Checking Apache ActiveMQ Artemis for CVE-2023-50780
Checking Apache ActiveMQ Artemis for CVE-2023-50780
Spotlight lesen →
Checking Apache Airflow for CVE-2024-45498
Checking Apache Airflow for CVE-2024-45498
Spotlight lesen →
Checking Apache Tomcat for CVE-2020-11996
Checking Apache Tomcat for CVE-2020-11996
Spotlight lesen →
Checking Claude Code GitHub Action workflow permissions
Checking Claude Code GitHub Action workflow permissions
Spotlight lesen →
Checking codexui-android for token-stealing package versions
Checking codexui-android for token-stealing package versions
Spotlight lesen →
Checking cordova-plugin-inappbrowser for CVE-2019-0219
Checking cordova-plugin-inappbrowser for CVE-2019-0219
Spotlight lesen →
Checking DICOM files for executable preambles
Checking DICOM files for executable preambles
Spotlight lesen →
Checking Django for CVE-2011-0696
Checking Django for CVE-2011-0696
Spotlight lesen →
Checking Drupal Core for CVE-2026-9082
Checking Drupal Core for CVE-2026-9082
Spotlight lesen →
Checking easy-day-js for Mastra npm incident package evidence
Checking easy-day-js for Mastra npm incident package evidence
Spotlight lesen →
Checking Keras for CVE-2025-1550
Checking Keras for CVE-2025-1550
Spotlight lesen →
Checking Langflow CORS exposure for CVE-2025-34291
Checking Langflow CORS exposure for CVE-2025-34291
Spotlight lesen →
Checking Log4j 1.2 JDBCAppender for CVE-2022-23305
Checking Log4j 1.2 JDBCAppender for CVE-2022-23305
Spotlight lesen →
Checking MindsDB version exposure for CVE-2026-27483
Checking MindsDB version exposure for CVE-2026-27483
Spotlight lesen →
Checking MISP STIX import source for CVE-2018-19908
Checking MISP STIX import source for CVE-2018-19908
Spotlight lesen →
Checking Moby/Docker Go modules for CVE-2026-34040
Checking Moby/Docker Go modules for CVE-2026-34040
Spotlight lesen →
Checking NGINX rewrite configurations for CVE-2026-42945
Checking NGINX rewrite configurations for CVE-2026-42945
Spotlight lesen →
Checking NiceGUI upload source for CVE-2026-25732
Checking NiceGUI upload source for CVE-2026-25732
Spotlight lesen →
Checking Nokogiri for CVE-2019-18197
Checking Nokogiri for CVE-2019-18197
Spotlight lesen →
Checking npm lockfiles for known typosquat package versions
Checking npm lockfiles for known typosquat package versions
Spotlight lesen →
Checking ONNX for CVE-2024-5187
Checking ONNX for CVE-2024-5187
Spotlight lesen →
Checking Paramiko for CVE-2018-7750
Checking Paramiko for CVE-2018-7750
Spotlight lesen →
Checking proxy npm package for CVE-2023-2968
Checking proxy npm package for CVE-2023-2968
Spotlight lesen →
Checking Spring Data Commons and XMLBeam for CVE-2018-1259
Checking Spring Data Commons and XMLBeam for CVE-2018-1259
Spotlight lesen →
Checking SQLitePCLRaw native SQLite packages for CVE-2025-6965
Checking SQLitePCLRaw native SQLite packages for CVE-2025-6965
Spotlight lesen →
Checking vLLM for CVE-2024-9053
Checking vLLM for CVE-2024-9053
Spotlight lesen →
Checking WordPress REST API user exposure
Checking WordPress REST API user exposure
Spotlight lesen →
Checking YOURLS for CVE-2019-14537
Checking YOURLS for CVE-2019-14537
Spotlight lesen →
Cloudflare Origin- & Proxy-Posture
Wenn deine Origin-IP auffindbar ist, ist die Cloudflare-WAF umgehbar.
Spotlight lesen →
GraphQL-Introspection offen liegend
Introspection in Production reicht dem Angreifer dein komplettes Typsystem.
Spotlight lesen →
Threat-Intel-Abgleich
Spamhaus DBL, URLhaus — der Ruf deiner Domain von außen gesehen.
Spotlight lesen →
Offen liegende API-Dokumentation
/swagger.json, /openapi.json, /docs — öffentliche API-Karten für dich und den Angreifer.
Spotlight lesen →
Netlify-spezifische Exposure
Netlify-Deploy-Preview-URLs, x-nf-* Header, _redirects-Fehler.
Spotlight lesen →
Privacy- & Cookie-Compliance-Marker
DSGVO-Pflichtseiten — vorhanden und verlinkt, sonst riskierst du eine Beschwerde.
Spotlight lesen →
Technologie-Fingerprinting
Deinen Stack zu kennen ist die halbe Aufklärung — veraltete Frameworks füllen die andere Hälfte.
Spotlight lesen →
Vercel-spezifische Exposure
_next/static, x-vercel-* Header, Preview-URLs — Vercel-Eigenheiten, die mehr leaken als sie sollten.
Spotlight lesen →
06 / 07
Aktive Probes
AVideo Command Injection Advisory
An outdated AVideo Composer dependency can expose video-link import paths to command execution risk.
Spotlight lesen →
Cross-Tenant-Datenleaks
Multi-Tenant-SaaS ohne Tenant-ID-Enforcement leakt Kundendaten zwischen Orgs.
Spotlight lesen →
GeniXCMS Author SQL Injection Exposure
A legacy CMS author filter should not turn one parameter into SQL syntax.
Spotlight lesen →
JWT alg=none Acceptance
A decoded token is not an authenticated identity.
Spotlight lesen →
MagicMirror /cors SSRF Exposure
A smart-mirror helper endpoint should not become a network proxy.
Spotlight lesen →
Moxa NPort Firmware Advisory
A public device-server firmware banner should drive an upgrade, not a crash test.
Spotlight lesen →
OS-Command-Injection
Wenn Nutzereingaben Teil eines Shell-Befehls werden, führt die Shell aus, was der Angreifer schreibt.
Spotlight lesen →
rclone RC Authentication Exposure
A public rclone Remote Control API should not answer unauthenticated fsinfo requests.
Spotlight lesen →
Server-Side Template Injection (SSTI)
Behandelt die Template-Engine Nutzereingaben als Template, behandelt der Server sie als Code.
Spotlight lesen →
SiteOmat BOS Authentication Advisory
Fuel-station management software needs version and exposure review, not password guessing.
Spotlight lesen →
SiteOmat CGI Buffer Overflow Advisory
Fuel-station controller CGI risk needs patch and exposure review, not exploit probes.
Spotlight lesen →
SiteOmat Login SQL Injection Advisory
Fuel-station login risk needs patch and exposure review, not authentication-bypass probes.
Spotlight lesen →
SQL-Injection
Sobald Nutzereingaben Teil einer Query werden, gehört die Datenbank nicht mehr dir.
Spotlight lesen →
Auth-Flow-Defekte
Login, Signup, Passwort-Reset — hier passieren die meisten Account-Übernahmen tatsächlich.
Spotlight lesen →
Blindes SSRF (Out-of-Band)
Holt der Server vom Nutzer übergebene URLs, kann der Nutzer ihn interne Services holen lassen.
Spotlight lesen →
CKAN DataStore SQL Authorization Bypass
Public DataStore SQL access can turn open data APIs into private data exposure.
Spotlight lesen →
CORS-Fehlkonfiguration
Permissives Access-Control-Allow-Origin plus Credentials heißt: deine API ist die API von allen.
Spotlight lesen →
DOM-basiertes XSS via URL-Fragment
Moderne SPAs lesen location.hash und schreiben es ins DOM — Angreifer-Payloads reisen mit.
Spotlight lesen →
Datei-Upload-Validierung
Hochgeladene Dateien sind beliebige Bytes — sie ungeprüft als „Bilder" zu akzeptieren bittet um RCE.
Spotlight lesen →
FUXA Hardcoded JWT Fallback Secret
Default token-signing secrets can turn an HMI login into a weak boundary.
Spotlight lesen →
GL.iNet GL-MT3000 Firmware Advisory
A router firmware match should drive an upgrade, not a command-execution test.
Spotlight lesen →
GraphQL Depth-Bombing & Batch-Bypass
GraphQLs Flexibilität ist auch sein Verwundbarkeitsvektor — Tiefen-Bomben, Alias-Batching, Field-Suggestion-Leaks.
Spotlight lesen →
HTTP-Request-Smuggling
Front-Proxy und Backend sind sich nicht einig, wo ein Request endet — der Angreifer reitet die Naht.
Spotlight lesen →
IDOR / BOLA
Vertraut deine API darauf, dass der Client die korrekte ID sendet, kann der Client jede ID senden.
Spotlight lesen →
IIS TRACK Method Information Disclosure
Legacy HTTP method echo behavior should be disabled before it can expose request headers.
Spotlight lesen →
Liferay Portal Template RCE Advisory
Legacy Liferay Portal version evidence should trigger patch verification.
Spotlight lesen →
LLM-Prompt-Injection
Vertraut dein KI-Feature Nutzereingaben als Anweisung, kann der Nutzer den System-Prompt umschreiben.
Spotlight lesen →
NoSQL-Operator-Injection
MongoDB-Operatoren in nutzerkontrolliertem JSON machen aus deiner Query einen Wildcard.
Spotlight lesen →
Reflected Cross-Site Scripting (XSS)
Die stille Übernahme: wenn ein einziger ungefilterter Parameter Angreifer-Code in den Browsern deiner Nutzer ausführt.
Spotlight lesen →
Rockwell MicroLogix 1100 Authentication Advisory
Firmware evidence should drive an update and exposure review, not password-guessing tests.
Spotlight lesen →
XML External Entity (XXE)
Resolvt dein XML-Parser externe Entities, liest dein Server Dateien für den Angreifer.
Spotlight lesen →
ZoneMinder Directory Listing Exposure
A camera management UI should not publish its web root index.
Spotlight lesen →
Account-Enumeration
Reagiert dein Login bei existierenden vs. nicht existierenden Mails unterschiedlich, baut sich der Angreifer eine Kundenliste.
Spotlight lesen →
Checking gemini-mcp-tool for CVE-2026-0755
Checking gemini-mcp-tool for CVE-2026-0755
Spotlight lesen →
Checking Label Studio upload-example XSS exposure
Checking Label Studio upload-example XSS exposure
Spotlight lesen →
Checking Langflow version exposure for CVE-2026-33017
Checking Langflow version exposure for CVE-2026-33017
Spotlight lesen →
Checking PowerLogic EGX exposure for CVE-2021-22765/CVE-2021-22767/CVE-2021-22768
Checking PowerLogic EGX exposure for CVE-2021-22765/CVE-2021-22767/CVE-2021-22768
Spotlight lesen →
Checking TLS endpoints for RC4 support
Checking TLS endpoints for RC4 support
Spotlight lesen →
Checking TLS endpoints for Sweet32 DES/3DES support
Checking TLS endpoints for Sweet32 DES/3DES support
Spotlight lesen →
Confirming Glances REST API unauthenticated exposure
Confirming Glances REST API unauthenticated exposure
Spotlight lesen →
Confirming Next.js middleware bypass exposure
Confirming Next.js middleware bypass exposure
Spotlight lesen →
Confirming SillyTavern SearXNG external-fetch SSRF exposure
Confirming SillyTavern SearXNG external-fetch SSRF exposure
Spotlight lesen →
Confirming TMT Lockcell login SQL injection exposure
Confirming TMT Lockcell login SQL injection exposure
Spotlight lesen →
CRLF / Response Splitting
Landet Nutzereingabe in einem Response-Header, kann der Angreifer mit Zeilenumbrüchen eigene Header setzen.
Spotlight lesen →
CSRF-Schutz
Verlangen deine state-ändernden Endpunkte kein CSRF-Token, können Drittseiten als deine Nutzer agieren.
Spotlight lesen →
Fehlendes Rate-Limiting
Ohne Rate-Limits auf Auth-Endpunkten kann der Angreifer Credential-Stuffing in Leitungsgeschwindigkeit fahren.
Spotlight lesen →
Next.js Header Configuration Drift
Headers set on `/` do not always protect nested routes.
Spotlight lesen →
Open Redirect
Dein /redirect?url=… ohne Zielprüfung ist ein fertiges Phishing-Kit.
Spotlight lesen →
SPIP valider_xml XSS Exposure
A legacy SPIP utility page should not reflect URL input into HTML.
Spotlight lesen →
07 / 07
Quellcode
deephas Prototype-Pollution Advisory
A vulnerable deephas dependency can put deep-path object handling on a prototype-pollution path.
Spotlight lesen →
Ghost Content API SQL Injection Advisory
A vulnerable Ghost dependency can put public content APIs on the database boundary.
Spotlight lesen →
LibreNMS Command Injection Advisory
A vulnerable monitoring stack can become an execution path inside the network.
Spotlight lesen →
LiteLLM SQL Injection Advisory
A vulnerable LiteLLM Proxy version can turn API-key verification into database exposure.
Spotlight lesen →
NLTK Zip Slip Code Execution Advisory
A vulnerable NLTK downloader can turn compromised package archives into filesystem writes and code-execution risk.
Spotlight lesen →
openDCIM Command Injection Source Advisory
A database-controlled Graphviz path should not become a shell command.
Spotlight lesen →
TanStack ArkType Adapter Malware Advisory
Known malicious npm package versions can put CI and developer secrets at install-time risk.
Spotlight lesen →
vm2 Sandbox Breakout Advisory
A vulnerable JavaScript sandbox dependency can put untrusted-code boundaries at risk.
Spotlight lesen →
Apache Tomcat Coyote Resource-Shutdown Advisory
An affected Tomcat HTTP/2 runtime can turn reset behavior into resource exhaustion.
Spotlight lesen →
Apache Tomcat EncryptInterceptor Advisory
Exact affected Tomcat releases need an upgrade before cluster encryption assumptions are trusted.
Spotlight lesen →
Apache Tomcat h2c Request Mix-Up Advisory
Affected Tomcat h2c handling can put request data on the wrong response path.
Spotlight lesen →
Apache Tomcat Session-Persistence Advisory
Affected Tomcat runtimes become riskier when FileStore session persistence is enabled.
Spotlight lesen →
Committed AI-Generated Secrets
AI snippets should not ship provider keys into git.
Spotlight lesen →
Compromised codfish GitHub Action
Release workflows should not keep pointing at compromised Action refs.
Spotlight lesen →
electerm Install-Script Command Injection Advisory
A vulnerable terminal-client dependency can put build or developer hosts at install-time risk.
Spotlight lesen →
electerm Unauthorized Command Execution Advisory
A stale electerm package can matter when the vulnerable service is packaged and running.
Spotlight lesen →
Gogs Directory Traversal Dependency Advisory
An affected Gogs runtime can put file-upload path handling on a traversal boundary.
Spotlight lesen →
Gradio Windows Python Path Traversal Advisory
A vulnerable Gradio dependency becomes a stronger signal when repo config points to Windows with Python 3.13+.
Spotlight lesen →
Mbed TLS Buffer-Overflow Advisory
Affected Mbed TLS 3.x source evidence deserves an upgrade, not exploit reproduction.
Spotlight lesen →
Mbed TLS Double-Free Advisory
Legacy Mbed TLS version evidence deserves branch-aware remediation.
Spotlight lesen →
Microsoft ATL MS09-035 Source Advisory
Legacy ATL build metadata deserves rebuild proof, not exploit reproduction.
Spotlight lesen →
OpenCms XXE Information-Disclosure Advisory
A vulnerable OpenCms dependency can put XML-processing routes on a file-read boundary.
Spotlight lesen →
OpenSSL CMS Message-Parsing Advisory
Affected OpenSSL branch evidence deserves a branch-aware runtime upgrade.
Spotlight lesen →
PDF.js JavaScript Execution Advisory
A vulnerable PDF viewer can turn a malicious document into script execution.
Spotlight lesen →
PickleScan ZIP CRC Bypass Advisory
A vulnerable PickleScan dependency can miss malicious model archives when scans fail open.
Spotlight lesen →
pyLoad /flashgot RCE Advisory
A vulnerable pyLoad dependency is patch-triage evidence, not proof of live RCE.
Spotlight lesen →
Riskante Source-Code-Muster
eval(), dangerouslySetInnerHTML, hartkodierte Secrets — die Muster, die SAST seit 25 Jahren findet.
Spotlight lesen →
SaltStack Salt Directory Traversal Advisory
A vulnerable Salt package can weaken Salt master authentication boundaries.
Spotlight lesen →
SAP Cloud SDK for AI Python Advisory
A vulnerable SAP Python SDK dependency is patch-triage evidence, not proof of live command execution.
Spotlight lesen →
Spring Data Commons Resource-Exhaustion Advisory
Affected Spring Data Commons dependencies can put property-path parsing on a DoS path.
Spotlight lesen →
Supabase RLS in Migrations
A public table without RLS is a future data leak.
Spotlight lesen →
veraPDF XSLT Injection Dependency Advisory
Affected veraPDF policy-file processing can put XSLT execution boundaries at risk.
Spotlight lesen →
Verwundbare Dependencies
Deine package-lock.json enthält Tausende Pakete. Einige haben bekannte CVEs.
Spotlight lesen →
Webhook-Signatur-Verifikation
Verifiziert dein Webhook-Handler die Signatur nicht, kann jeder Events fälschen.
Spotlight lesen →
ws Excessive-Header DoS Advisory
Affected ws server runtimes can crash when upgrade requests carry too many headers.
Spotlight lesen →
AI-Generated Code Guardrails
Fast AI-assisted changes need repo-level security rails.
Spotlight lesen →
Checking @andrei-tatar/nora-firebase-common for CVE-2024-30564
Checking @andrei-tatar/nora-firebase-common for CVE-2024-30564
Spotlight lesen →
Checking Apache ActiveMQ Artemis for CVE-2026-27446
Checking Apache ActiveMQ Artemis for CVE-2026-27446
Spotlight lesen →
Checking Apache Spark for CVE-2022-33891
Checking Apache Spark for CVE-2022-33891
Spotlight lesen →
Checking Cargo files for the malicious onering crate
Checking Cargo files for the malicious onering crate
Spotlight lesen →
Checking http4k-format-xml for CVE-2024-55875
Checking http4k-format-xml for CVE-2024-55875
Spotlight lesen →
Checking kill-port-process for CVE-2019-15609
Checking kill-port-process for CVE-2019-15609
Spotlight lesen →
Checking Log4j 1.2 JMSAppender for CVE-2021-4104
Checking Log4j 1.2 JMSAppender for CVE-2021-4104
Spotlight lesen →
Checking Note Mark backend for CVE-2026-44522
Checking Note Mark backend for CVE-2026-44522
Spotlight lesen →
Checking npm package versions and binding.gyp for the Phantom Gyp worm
Checking npm package versions and binding.gyp for the Phantom Gyp worm
Spotlight lesen →
Checking OpenSSL PowerPC builds for CVE-2023-6129
Checking OpenSSL PowerPC builds for CVE-2023-6129
Spotlight lesen →
Checking Perl GD for CVE-2026-11526
Checking Perl GD for CVE-2026-11526
Spotlight lesen →
Checking Red Hat npm package versions for the worm campaign
Checking Red Hat npm package versions for the worm campaign
Spotlight lesen →
Checking WebdriverIO BrowserStack service for CVE-2026-25244
Checking WebdriverIO BrowserStack service for CVE-2026-25244
Spotlight lesen →
Kubernetes Service ExternalIPs Advisory
ExternalIPs in Service manifests deserve RBAC and admission-policy review.
Spotlight lesen →
Mbed TLS Certificate-Validation Advisory
Affected Mbed TLS 3.x evidence deserves upgrade and client-auth review.
Spotlight lesen →
OpenSSL TLSv1.3 Session Memory-Growth Advisory
A vulnerable OpenSSL runtime plus no-ticket TLSv1.3 session handling can create DoS risk.
Spotlight lesen →
Oracle Java SE / GraalVM Runtime Advisory
Affected Oracle runtime metadata deserves an update, not DoS reproduction.
Spotlight lesen →
Repo-Security-Hygiene
Branch-Protection, Action-Pinning, Secret-Hygiene — wie dein Repo geführt wird zählt mehr als der Code.
Spotlight lesen →
Reviewing repo code against web app risk patterns
Reviewing repo code against web app risk patterns
Spotlight lesen →
