// vulnerability research
Vulnerability research for AI-built websites and apps.
Source-grounded notes on vulnerabilities that matter to AI-generated web apps, BaaS stacks, frontend bundles, auth, and dependency security.
UnrealIRCd SASL Certificate Fingerprint Spoofing Authentication Bypass (CVE-2016-7144)
A vulnerability in the SASL authentication module of UnrealIRCd allows remote attackers to spoof TLS certificate fingerprints. By sending a crafted AUTHENTICATE parameter, an attacker can bypass authentication and log in as another user.
All research
46 articles
SQL Injection in GeniXCMS author.control.php (CVE-2017-5517)
GeniXCMS versions up to and including 0.0.8 are vulnerable to a critical SQL injection vulnerability in the author.control.php component. Remote attackers can exploit this by sending malicious payloads through the 'type' parameter, potentially leading to complete database compromise and unauthorized administrative access.
SPIP valider_xml.php Cross-Site Scripting (CVE-2016-7981)
A Cross-Site Scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
Command Injection in electerm via runLinux Function (CVE-2026-41501)
A critical command injection vulnerability (CVE-2026-41501) was discovered in electerm, a terminal/ssh/sftp client. In versions prior to 3.3.8, the application's runLinux function fails to properly sanitize inputs before executing them, allowing attackers to execute arbitrary system commands.
SSH Terrapin Attack: Integrity Bypass in Transport Protocol (CVE-2023-48795)
CVE-2023-48795, known as the Terrapin attack, is a vulnerability in the SSH transport protocol that allows remote attackers to bypass integrity checks. By omitting specific packets during the extension negotiation phase, an attacker can force the connection to use less secure parameters. [S1]
OS Command Injection in openDCIM (CVE-2026-28517)
openDCIM version 23.04, through commit 4467e9c4, contains a critical OS command injection vulnerability. The application fails to sanitize the 'dot' configuration parameter retrieved from the database before passing it to the exec() function in report_network_map.php, allowing for arbitrary code execution.
MagicMirror Unauthenticated SSRF via /cors Endpoint (CVE-2026-42281)
MagicMirror versions 2.35.0 and earlier are affected by a critical Server-Side Request Forgery (SSRF) vulnerability. An unauthenticated attacker can exploit the /cors endpoint to make arbitrary requests to internal or external resources, potentially exposing sensitive internal services or cloud metadata.
Alkacon OpenCms XXE Information Disclosure (CVE-2023-42344)
Alkacon OpenCms versions before 10.5.1 are associated with CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, an XXE information-disclosure advisory. FixVibe repo scans now flag target-specific Maven pom.xml evidence as a version-based advisory, without claiming XXE exploit confirmation.
Command Injection in electerm Install Script (CVE-2026-41500)
electerm versions before 3.3.8 are associated with CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f, an install-script command-injection advisory. FixVibe repo scans now flag target-specific npm manifest and lockfile evidence as a version-based advisory, without claiming exploit execution.
CKAN Unauthenticated SQL Injection and Authorization Bypass (CVE-2026-42031)
CKAN's datastore_search_sql API endpoint contains a high-severity vulnerability allowing unauthenticated attackers to execute arbitrary SQL queries. This leads to unauthorized data access and authorization bypass in versions prior to 2.10.10.
FUXA Hardcoded JWT Fallback Secret (CVE-2025-69971)
FUXA, an open-source SCADA/HMI platform, is vulnerable to a high-severity authentication bypass. In versions 1.2.11 and earlier, the application uses a hardcoded fallback secret to sign JSON Web Tokens (JWTs) if no custom secret is configured. This allows attackers to forge administrative tokens and gain full control over the system.
Arbitrary JavaScript Execution in PDF.js (CVE-2024-4367)
CVE-2024-4367 is a high-severity vulnerability in PDF.js (versions 4.1.392 and below) that allows attackers to execute arbitrary JavaScript. By rendering a malicious PDF, the library may execute embedded scripts, leading to potential XSS attacks and data exposure. Remediation involves upgrading to version 4.2.67 or later.
SQL Injection in Ghost Content API (CVE-2026-26980)
Ghost versions 3.24.0 through 6.19.0 contain a critical SQL injection vulnerability in the Content API. This allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to data exfiltration or unauthorized modifications.
Remote Code Execution in SPIP via Template Tags (CVE-2016-7998)
SPIP versions 3.1.2 and earlier contain a vulnerability in the template composer. Authenticated attackers can upload HTML files with crafted INCLUDE or INCLURE tags to execute arbitrary PHP code on the server.
ZoneMinder Apache Configuration Information Disclosure (CVE-2016-10140)
ZoneMinder versions 1.29 and 1.30 are affected by a bundled Apache HTTP Server misconfiguration. This flaw allows remote, unauthenticated attackers to browse the web root directory, potentially leading to sensitive information disclosure and authentication bypass.
Next.js Security Header Misconfiguration in next.config.js
Next.js applications using next.config.js for header management are susceptible to security gaps if path-matching patterns are imprecise. This research explores how wildcard and regex misconfigurations lead to missing security headers on sensitive routes and how to harden the configuration.
Inadequate Security Header Configuration
Web applications often fail to implement essential security headers, leaving users exposed to cross-site scripting (XSS), clickjacking, and data injection. By following established web security guidelines and using auditing tools like the MDN Observatory, developers can significantly harden their applications against common browser-based attacks.
Mitigating OWASP Top 10 Risks in Rapid Web Development
Indie hackers and small teams often face unique security challenges when shipping fast, especially with AI-generated code. This research highlights recurring risks from the CWE Top 25 and OWASP categories, including broken access control and insecure configurations, providing a foundation for automated security checks.
Insecure HTTP Header Configurations in AI-Generated Applications
Applications generated by AI assistants frequently lack essential HTTP security headers, failing to meet modern security standards. This omission leaves web applications vulnerable to common client-side attacks. By utilizing benchmarks like the Mozilla HTTP Observatory, developers can identify missing protections such as CSP and HSTS to improve their application's security posture.
Detecting and Preventing Cross-Site Scripting (XSS) Vulnerabilities
Cross-Site Scripting (XSS) occurs when an application includes untrusted data in a web page without proper validation or encoding. This allows attackers to execute malicious scripts in the victim's browser, leading to session hijacking, unauthorized actions, and sensitive data exposure.