// vulnerability spotlight
Every check FixVibe runs,
explained.
164+ vulnerability classes that ship with FixVibe. Each entry runs up to 35 sub-checks per scan and breaks down how the bug works, what an attacker gets out of it, how we test for it, and what it takes to defend.
01 / 07
HTTP & Surface
Session Cookie Attributes
HttpOnly, Secure, SameSite โ three flags that turn a session cookie into something attackers can't easily steal.
Read the spotlight โ
HTTP Security Headers
Headers are free defense โ most apps still ship without them.
Read the spotlight โ
TLS Configuration
Old cipher suites plus missing HSTS equals a hostile WiFi away from session hijack.
Read the spotlight โ
Vercel Deployment Protection
Generated deployment URLs should not become public staging doors.
Read the spotlight โ
02 / 07
Secrets
Hard-coded Secret Patterns
Stripe keys, AWS credentials, OpenAI tokens โ pattern matching catches the easy mistakes.
Read the spotlight โ
Secrets in JavaScript Bundles
If it shipped in your client bundle, it's not a secret โ it's a publication.
Read the spotlight โ
JWT Integrity (alg confusion, weak secrets)
If your JWT verifier trusts the token's own header, it will believe whatever the attacker types.
Read the spotlight โ
Tokens in Browser Storage
localStorage is JavaScript-readable. Auth tokens stored there are XSS-stealable by design.
Read the spotlight โ
Exposed Source Maps
If your .map files are public, the attacker is reading your TypeScript.
Read the spotlight โ
Information Leakage in JavaScript
Internal API hosts, version banners, and TODO comments โ small leaks add up to a map of your stack.
Read the spotlight โ
03 / 07
Backend-as-a-Service
Firebase Security Rules
`allow read, write: if true` is somebody's production database right now.
Read the spotlight โ
Supabase Row-Level Security
Without RLS on every public table, your anon key is a license to read anything.
Read the spotlight โ
Clerk & Auth0 Configuration
Identity providers leak more than they should when defaults aren't tightened.
Read the spotlight โ
Supabase Storage and API Posture
Public buckets and anon-listable objects are where BaaS data leaks start.
Read the spotlight โ
04 / 07
DNS
Netmaker DNS Key Authorization Bypass
A VPN control-plane DNS API should not trust a legacy default key.
Read the spotlight โ
Subdomain Takeover
A CNAME pointing at an unclaimed cloud resource is an invitation to host phishing on your domain.
Read the spotlight โ
SPF / DKIM / DMARC
Without these three records, anyone can send email as you.
Read the spotlight โ
05 / 07
Discovery
Arcserve UDP Heap Overflow Advisory
Backup management consoles should not expose affected UDP versions.
Read the spotlight โ
Schneider Modicon M221 Firmware Advisory
PLC firmware evidence should drive patch and segmentation review, not reboot or authentication replay tests.
Read the spotlight โ
CVE Cross-Reference
Detected version + public CVE database = a list of attacks already documented.
Read the spotlight โ
Debug & Admin Endpoints
/debug, /admin, /server-status โ paths that should never be reachable from the internet.
Read the spotlight โ
Exposed Files & Backup Directories
.env, .git, .DS_Store, backup.sql โ files that should never be public, accidentally are.
Read the spotlight โ
Rockwell MicroLogix 1100 DoS Advisory
An exposed PLC fingerprint is an operations risk, not something to crash-test.
Read the spotlight โ
SPIP Template RCE Version Exposure
Public SPIP version banners can reveal an RCE-class patch gap.
Read the spotlight โ
Checking Apache ActiveMQ Artemis for CVE-2023-50780
Checking Apache ActiveMQ Artemis for CVE-2023-50780
Read the spotlight โ
Checking Apache Airflow for CVE-2024-45498
Checking Apache Airflow for CVE-2024-45498
Read the spotlight โ
Checking Apache Tomcat for CVE-2020-11996
Checking Apache Tomcat for CVE-2020-11996
Read the spotlight โ
Checking Claude Code GitHub Action workflow permissions
Checking Claude Code GitHub Action workflow permissions
Read the spotlight โ
Checking codexui-android for token-stealing package versions
Checking codexui-android for token-stealing package versions
Read the spotlight โ
Checking cordova-plugin-inappbrowser for CVE-2019-0219
Checking cordova-plugin-inappbrowser for CVE-2019-0219
Read the spotlight โ
Checking DICOM files for executable preambles
Checking DICOM files for executable preambles
Read the spotlight โ
Checking Django for CVE-2011-0696
Checking Django for CVE-2011-0696
Read the spotlight โ
Checking Drupal Core for CVE-2026-9082
Checking Drupal Core for CVE-2026-9082
Read the spotlight โ
Checking easy-day-js for Mastra npm incident package evidence
Checking easy-day-js for Mastra npm incident package evidence
Read the spotlight โ
Checking Keras for CVE-2025-1550
Checking Keras for CVE-2025-1550
Read the spotlight โ
Checking Langflow CORS exposure for CVE-2025-34291
Checking Langflow CORS exposure for CVE-2025-34291
Read the spotlight โ
Checking Log4j 1.2 JDBCAppender for CVE-2022-23305
Checking Log4j 1.2 JDBCAppender for CVE-2022-23305
Read the spotlight โ
Checking MindsDB version exposure for CVE-2026-27483
Checking MindsDB version exposure for CVE-2026-27483
Read the spotlight โ
Checking MISP STIX import source for CVE-2018-19908
Checking MISP STIX import source for CVE-2018-19908
Read the spotlight โ
Checking Moby/Docker Go modules for CVE-2026-34040
Checking Moby/Docker Go modules for CVE-2026-34040
Read the spotlight โ
Checking NGINX rewrite configurations for CVE-2026-42945
Checking NGINX rewrite configurations for CVE-2026-42945
Read the spotlight โ
Checking NiceGUI upload source for CVE-2026-25732
Checking NiceGUI upload source for CVE-2026-25732
Read the spotlight โ
Checking Nokogiri for CVE-2019-18197
Checking Nokogiri for CVE-2019-18197
Read the spotlight โ
Checking npm lockfiles for known typosquat package versions
Checking npm lockfiles for known typosquat package versions
Read the spotlight โ
Checking ONNX for CVE-2024-5187
Checking ONNX for CVE-2024-5187
Read the spotlight โ
Checking Paramiko for CVE-2018-7750
Checking Paramiko for CVE-2018-7750
Read the spotlight โ
Checking proxy npm package for CVE-2023-2968
Checking proxy npm package for CVE-2023-2968
Read the spotlight โ
Checking Spring Data Commons and XMLBeam for CVE-2018-1259
Checking Spring Data Commons and XMLBeam for CVE-2018-1259
Read the spotlight โ
Checking SQLitePCLRaw native SQLite packages for CVE-2025-6965
Checking SQLitePCLRaw native SQLite packages for CVE-2025-6965
Read the spotlight โ
Checking vLLM for CVE-2024-9053
Checking vLLM for CVE-2024-9053
Read the spotlight โ
Checking WordPress REST API user exposure
Checking WordPress REST API user exposure
Read the spotlight โ
Checking YOURLS for CVE-2019-14537
Checking YOURLS for CVE-2019-14537
Read the spotlight โ
Cloudflare Origin & Proxy Posture
If your origin IP is discoverable, Cloudflare's WAF is bypassable.
Read the spotlight โ
GraphQL Introspection Exposed
Introspection in production hands the attacker your full type system.
Read the spotlight โ
Threat-Intel Cross-Reference
Spamhaus DBL, URLhaus โ your domain's reputation, externally seen.
Read the spotlight โ
Exposed API Documentation
/swagger.json, /openapi.json, /docs โ public API maps for both you and the attacker.
Read the spotlight โ
Netlify-Specific Exposure
Netlify deploy preview URLs, x-nf-* headers, _redirects mistakes.
Read the spotlight โ
Privacy & Cookie Compliance Markers
GDPR-required pages โ present and linked, or you're at risk of a complaint.
Read the spotlight โ
Technology Fingerprinting
Knowing your stack is half the recon โ outdated frameworks turn that into the other half.
Read the spotlight โ
Vercel-Specific Exposure
_next/static, x-vercel-* headers, preview URLs โ Vercel-isms that leak more than they should.
Read the spotlight โ
06 / 07
Active probes
AVideo Command Injection Advisory
An outdated AVideo Composer dependency can expose video-link import paths to command execution risk.
Read the spotlight โ
Cross-Tenant Data Leaks
Multi-tenant SaaS without tenant ID enforcement leaks customer data across orgs.
Read the spotlight โ
GeniXCMS Author SQL Injection Exposure
A legacy CMS author filter should not turn one parameter into SQL syntax.
Read the spotlight โ
JWT alg=none Acceptance
A decoded token is not an authenticated identity.
Read the spotlight โ
MagicMirror /cors SSRF Exposure
A smart-mirror helper endpoint should not become a network proxy.
Read the spotlight โ
Moxa NPort Firmware Advisory
A public device-server firmware banner should drive an upgrade, not a crash test.
Read the spotlight โ
OS Command Injection
When user input becomes part of a shell command, the shell runs whatever the attacker writes.
Read the spotlight โ
rclone RC Authentication Exposure
A public rclone Remote Control API should not answer unauthenticated fsinfo requests.
Read the spotlight โ
Server-Side Template Injection (SSTI)
When a template engine treats user input as a template, the server treats user input as code.
Read the spotlight โ
SiteOmat BOS Authentication Advisory
Fuel-station management software needs version and exposure review, not password guessing.
Read the spotlight โ
SiteOmat CGI Buffer Overflow Advisory
Fuel-station controller CGI risk needs patch and exposure review, not exploit probes.
Read the spotlight โ
SiteOmat Login SQL Injection Advisory
Fuel-station login risk needs patch and exposure review, not authentication-bypass probes.
Read the spotlight โ
SQL Injection
When user input becomes part of a query, the database stops being yours.
Read the spotlight โ
Auth Flow Defects
Login, signup, and password reset are where most account takeovers actually happen.
Read the spotlight โ
Blind SSRF (Out-of-Band)
If the server fetches user-supplied URLs, the user can make it fetch internal services.
Read the spotlight โ
CKAN DataStore SQL Authorization Bypass
Public DataStore SQL access can turn open data APIs into private data exposure.
Read the spotlight โ
CORS Misconfiguration
Permissive Access-Control-Allow-Origin plus credentials means your API is everyone's API.
Read the spotlight โ
DOM-based XSS via URL Fragment
Modern SPAs read location.hash and write it into the DOM โ attacker payloads ride along.
Read the spotlight โ
File Upload Validation
User-uploaded files are arbitrary bytes โ accepting them as 'images' without checking is asking for RCE.
Read the spotlight โ
FUXA Hardcoded JWT Fallback Secret
Default token-signing secrets can turn an HMI login into a weak boundary.
Read the spotlight โ
GL.iNet GL-MT3000 Firmware Advisory
A router firmware match should drive an upgrade, not a command-execution test.
Read the spotlight โ
GraphQL Depth Bombing & Batch Bypass
GraphQL's flexibility is also its vulnerability โ depth bombs, alias batching, and field-suggestion leaks.
Read the spotlight โ
HTTP Request Smuggling
Front-end proxy and back-end disagree on where one request ends โ attacker rides the seam.
Read the spotlight โ
IDOR / BOLA
If your API trusts the client to send the correct ID, the client can send any ID.
Read the spotlight โ
IIS TRACK Method Information Disclosure
Legacy HTTP method echo behavior should be disabled before it can expose request headers.
Read the spotlight โ
Liferay Portal Template RCE Advisory
Legacy Liferay Portal version evidence should trigger patch verification.
Read the spotlight โ
LLM Prompt Injection
If your AI feature trusts user input as instruction, the user can rewrite the system prompt.
Read the spotlight โ
NoSQL Operator Injection
MongoDB-style operators in user-controlled JSON turn your query into a wildcard.
Read the spotlight โ
Reflected Cross-Site Scripting (XSS)
The silent hijack: when a single unsanitized parameter executes attacker code in your users' browsers.
Read the spotlight โ
Rockwell MicroLogix 1100 Authentication Advisory
Firmware evidence should drive an update and exposure review, not password-guessing tests.
Read the spotlight โ
XML External Entity (XXE)
If your XML parser resolves external entities, your server reads files for the attacker.
Read the spotlight โ
ZoneMinder Directory Listing Exposure
A camera management UI should not publish its web root index.
Read the spotlight โ
Account Enumeration
If your login responds differently when the email exists vs doesn't, attackers can build a customer list.
Read the spotlight โ
Checking gemini-mcp-tool for CVE-2026-0755
Checking gemini-mcp-tool for CVE-2026-0755
Read the spotlight โ
Checking Label Studio upload-example XSS exposure
Checking Label Studio upload-example XSS exposure
Read the spotlight โ
Checking Langflow version exposure for CVE-2026-33017
Checking Langflow version exposure for CVE-2026-33017
Read the spotlight โ
Checking PowerLogic EGX exposure for CVE-2021-22765/CVE-2021-22767/CVE-2021-22768
Checking PowerLogic EGX exposure for CVE-2021-22765/CVE-2021-22767/CVE-2021-22768
Read the spotlight โ
Checking TLS endpoints for RC4 support
Checking TLS endpoints for RC4 support
Read the spotlight โ
Checking TLS endpoints for Sweet32 DES/3DES support
Checking TLS endpoints for Sweet32 DES/3DES support
Read the spotlight โ
Confirming Glances REST API unauthenticated exposure
Confirming Glances REST API unauthenticated exposure
Read the spotlight โ
Confirming Next.js middleware bypass exposure
Confirming Next.js middleware bypass exposure
Read the spotlight โ
Confirming SillyTavern SearXNG external-fetch SSRF exposure
Confirming SillyTavern SearXNG external-fetch SSRF exposure
Read the spotlight โ
Confirming TMT Lockcell login SQL injection exposure
Confirming TMT Lockcell login SQL injection exposure
Read the spotlight โ
CRLF / Response Splitting
If user input lands in a response header, line breaks let the attacker write their own headers.
Read the spotlight โ
CSRF Protection
If your state-changing endpoints don't require a CSRF token, third-party sites can act as your users.
Read the spotlight โ
Missing Rate Limiting
Without rate limits on auth endpoints, the attacker can credential-stuff at line speed.
Read the spotlight โ
Next.js Header Configuration Drift
Headers set on `/` do not always protect nested routes.
Read the spotlight โ
Open Redirect
Your /redirect?url=โฆ that doesn't validate the destination is a phishing kit.
Read the spotlight โ
SPIP valider_xml XSS Exposure
A legacy SPIP utility page should not reflect URL input into HTML.
Read the spotlight โ
07 / 07
Source code
deephas Prototype-Pollution Advisory
A vulnerable deephas dependency can put deep-path object handling on a prototype-pollution path.
Read the spotlight โ
Ghost Content API SQL Injection Advisory
A vulnerable Ghost dependency can put public content APIs on the database boundary.
Read the spotlight โ
LibreNMS Command Injection Advisory
A vulnerable monitoring stack can become an execution path inside the network.
Read the spotlight โ
LiteLLM SQL Injection Advisory
A vulnerable LiteLLM Proxy version can turn API-key verification into database exposure.
Read the spotlight โ
NLTK Zip Slip Code Execution Advisory
A vulnerable NLTK downloader can turn compromised package archives into filesystem writes and code-execution risk.
Read the spotlight โ
openDCIM Command Injection Source Advisory
A database-controlled Graphviz path should not become a shell command.
Read the spotlight โ
TanStack ArkType Adapter Malware Advisory
Known malicious npm package versions can put CI and developer secrets at install-time risk.
Read the spotlight โ
vm2 Sandbox Breakout Advisory
A vulnerable JavaScript sandbox dependency can put untrusted-code boundaries at risk.
Read the spotlight โ
Apache Tomcat Coyote Resource-Shutdown Advisory
An affected Tomcat HTTP/2 runtime can turn reset behavior into resource exhaustion.
Read the spotlight โ
Apache Tomcat EncryptInterceptor Advisory
Exact affected Tomcat releases need an upgrade before cluster encryption assumptions are trusted.
Read the spotlight โ
Apache Tomcat h2c Request Mix-Up Advisory
Affected Tomcat h2c handling can put request data on the wrong response path.
Read the spotlight โ
Apache Tomcat Session-Persistence Advisory
Affected Tomcat runtimes become riskier when FileStore session persistence is enabled.
Read the spotlight โ
Committed AI-Generated Secrets
AI snippets should not ship provider keys into git.
Read the spotlight โ
Compromised codfish GitHub Action
Release workflows should not keep pointing at compromised Action refs.
Read the spotlight โ
electerm Install-Script Command Injection Advisory
A vulnerable terminal-client dependency can put build or developer hosts at install-time risk.
Read the spotlight โ
electerm Unauthorized Command Execution Advisory
A stale electerm package can matter when the vulnerable service is packaged and running.
Read the spotlight โ
Gogs Directory Traversal Dependency Advisory
An affected Gogs runtime can put file-upload path handling on a traversal boundary.
Read the spotlight โ
Gradio Windows Python Path Traversal Advisory
A vulnerable Gradio dependency becomes a stronger signal when repo config points to Windows with Python 3.13+.
Read the spotlight โ
Mbed TLS Buffer-Overflow Advisory
Affected Mbed TLS 3.x source evidence deserves an upgrade, not exploit reproduction.
Read the spotlight โ
Mbed TLS Double-Free Advisory
Legacy Mbed TLS version evidence deserves branch-aware remediation.
Read the spotlight โ
Microsoft ATL MS09-035 Source Advisory
Legacy ATL build metadata deserves rebuild proof, not exploit reproduction.
Read the spotlight โ
OpenCms XXE Information-Disclosure Advisory
A vulnerable OpenCms dependency can put XML-processing routes on a file-read boundary.
Read the spotlight โ
OpenSSL CMS Message-Parsing Advisory
Affected OpenSSL branch evidence deserves a branch-aware runtime upgrade.
Read the spotlight โ
PDF.js JavaScript Execution Advisory
A vulnerable PDF viewer can turn a malicious document into script execution.
Read the spotlight โ
PickleScan ZIP CRC Bypass Advisory
A vulnerable PickleScan dependency can miss malicious model archives when scans fail open.
Read the spotlight โ
pyLoad /flashgot RCE Advisory
A vulnerable pyLoad dependency is patch-triage evidence, not proof of live RCE.
Read the spotlight โ
Risky Source-Code Patterns
eval(), dangerouslySetInnerHTML, hard-coded secrets โ the patterns SAST has been catching for 25 years.
Read the spotlight โ
SaltStack Salt Directory Traversal Advisory
A vulnerable Salt package can weaken Salt master authentication boundaries.
Read the spotlight โ
SAP Cloud SDK for AI Python Advisory
A vulnerable SAP Python SDK dependency is patch-triage evidence, not proof of live command execution.
Read the spotlight โ
Spring Data Commons Resource-Exhaustion Advisory
Affected Spring Data Commons dependencies can put property-path parsing on a DoS path.
Read the spotlight โ
Supabase RLS in Migrations
A public table without RLS is a future data leak.
Read the spotlight โ
veraPDF XSLT Injection Dependency Advisory
Affected veraPDF policy-file processing can put XSLT execution boundaries at risk.
Read the spotlight โ
Vulnerable Dependencies
Your package-lock.json includes thousands of packages. Some have known CVEs.
Read the spotlight โ
Webhook Signature Verification
If your webhook handler doesn't verify the signature, anyone can forge events.
Read the spotlight โ
ws Excessive-Header DoS Advisory
Affected ws server runtimes can crash when upgrade requests carry too many headers.
Read the spotlight โ
AI-Generated Code Guardrails
Fast AI-assisted changes need repo-level security rails.
Read the spotlight โ
Checking @andrei-tatar/nora-firebase-common for CVE-2024-30564
Checking @andrei-tatar/nora-firebase-common for CVE-2024-30564
Read the spotlight โ
Checking Apache ActiveMQ Artemis for CVE-2026-27446
Checking Apache ActiveMQ Artemis for CVE-2026-27446
Read the spotlight โ
Checking Apache Spark for CVE-2022-33891
Checking Apache Spark for CVE-2022-33891
Read the spotlight โ
Checking Cargo files for the malicious onering crate
Checking Cargo files for the malicious onering crate
Read the spotlight โ
Checking http4k-format-xml for CVE-2024-55875
Checking http4k-format-xml for CVE-2024-55875
Read the spotlight โ
Checking kill-port-process for CVE-2019-15609
Checking kill-port-process for CVE-2019-15609
Read the spotlight โ
Checking Log4j 1.2 JMSAppender for CVE-2021-4104
Checking Log4j 1.2 JMSAppender for CVE-2021-4104
Read the spotlight โ
Checking Note Mark backend for CVE-2026-44522
Checking Note Mark backend for CVE-2026-44522
Read the spotlight โ
Checking npm package versions and binding.gyp for the Phantom Gyp worm
Checking npm package versions and binding.gyp for the Phantom Gyp worm
Read the spotlight โ
Checking OpenSSL PowerPC builds for CVE-2023-6129
Checking OpenSSL PowerPC builds for CVE-2023-6129
Read the spotlight โ
Checking Perl GD for CVE-2026-11526
Checking Perl GD for CVE-2026-11526
Read the spotlight โ
Checking Red Hat npm package versions for the worm campaign
Checking Red Hat npm package versions for the worm campaign
Read the spotlight โ
Checking WebdriverIO BrowserStack service for CVE-2026-25244
Checking WebdriverIO BrowserStack service for CVE-2026-25244
Read the spotlight โ
Kubernetes Service ExternalIPs Advisory
ExternalIPs in Service manifests deserve RBAC and admission-policy review.
Read the spotlight โ
Mbed TLS Certificate-Validation Advisory
Affected Mbed TLS 3.x evidence deserves upgrade and client-auth review.
Read the spotlight โ
OpenSSL TLSv1.3 Session Memory-Growth Advisory
A vulnerable OpenSSL runtime plus no-ticket TLSv1.3 session handling can create DoS risk.
Read the spotlight โ
Oracle Java SE / GraalVM Runtime Advisory
Affected Oracle runtime metadata deserves an update, not DoS reproduction.
Read the spotlight โ
Repo Security Hygiene
Branch protection, action pinning, secret hygiene โ how your repo is run matters more than the code.
Read the spotlight โ
Reviewing repo code against web app risk patterns
Reviewing repo code against web app risk patterns
Read the spotlight โ
