// vulnerability research
Vulnerability research for AI-built websites and apps.
Source-grounded notes on vulnerabilities that matter to AI-generated web apps, BaaS stacks, frontend bundles, auth, and dependency security.
Allurar SQL a cikin Abun cikin Fatalwa API (CVE-2026-26980)
Siffofin fatalwa 3.24.0 zuwa 6.19.0 sun ƙunshi mummunan rauni na allurar SQL a cikin Abun ciki API. Wannan yana ba maharan da ba su da tabbaci damar aiwatar da umarnin SQL na sabani, mai yuwuwar haifar da ɓarna bayanai ko gyare-gyare mara izini.
Duk research
34 articles
Ƙirar Ƙididdigar nesa a cikin SPIP ta Tags Samfura (CVE-2016-7998)
Sigar SPIP 3.1.2 kuma a baya sun ƙunshi rauni a cikin mawallafin samfuri. Ingantattun maharan suna iya loda fayilolin HTML tare da ƙirƙira INCLUDE ko INCLURE tags don aiwatar da lambar PHP ta sabani akan sabar.
Bayyana Bayanin Kanfigareshan Kanfigareshan ZoneMinder Apache (CVE-2016-10140)
Siffofin ZoneMinder 1.29 da 1.30 sun shafe su ta hanyar kuskuren tsarin sabar Apache HTTP. Wannan aibi yana ba da damar nesa, maharan da ba a tantance su ba don bincika tushen adireshin gidan yanar gizon, mai yuwuwar haifar da bayyana mahimman bayanai da keɓancewar tantancewa.
Next.js Rashin Daidaita Shugaban Tsaro a next.config.js
Aikace-aikacen Next.js masu amfani da next.config.js don gudanar da kan kai suna da saukin kamuwa da gibin tsaro idan tsarin daidaita hanyoyin ba su da kyau. Wannan binciken yana bincika yadda kuskuren kuskure da regex ke haifar da ɓacewar taken tsaro akan hanyoyi masu mahimmanci da yadda ake taurare tsarin.
Ingancin Kanfigareshan Shugaban Tsaro
Aikace-aikacen gidan yanar gizo sau da yawa sun kasa aiwatar da mahimman bayanan kanun tsaro, suna barin masu amfani da fallasa su ga rubutun giciye (XSS), jackjacking, da allurar bayanai. Ta bin ƙa'idodin tsaro na gidan yanar gizo da kuma amfani da kayan aikin dubawa kamar MDN Observatory, masu haɓakawa na iya taurara aikace-aikacen su da yawa akan hare-hare na tushen burauza gama gari.
Rage OWASP Manyan Hatsari 10 a Ci gaban Yanar Gizo Mai Sauri
Masu satar bayanan Indie da ƙananan ƙungiyoyi galibi suna fuskantar ƙalubalen tsaro na musamman lokacin jigilar kaya cikin sauri, musamman tare da lambar da aka samar da AI. Wannan binciken yana ba da haske game da haɗari masu maimaitawa daga CWE Top 25 da nau'ikan OWASP, gami da sarrafa hanyar samun karyewa da ƙayyadaddun ƙayyadaddun tsaro, samar da tushe don bincikar tsaro ta atomatik.
Tsarin Saitunan Shugaban HTTP mara tsaro a cikin Aikace-aikacen da aka Samar da AI
Aikace-aikacen da mataimakan AI suka ƙirƙira akai-akai suna rasa mahimman kawuna na tsaro na HTTP, sun kasa cika ka'idojin tsaro na zamani. Wannan tsallakewa yana barin aikace-aikacen yanar gizo masu rauni ga hare-haren gefen abokin ciniki na gama gari. Ta hanyar amfani da maƙasudai kamar Mozilla HTTP Observatory, masu haɓakawa zasu iya gano abubuwan kariya da suka ɓace kamar CSP da HSTS don inganta yanayin tsaro na aikace-aikacen su.
Ganewa da Hana Rubutun Rubutun Rubutu (XSS) Rauni
Rubutun Yanar Gizo (XSS) yana faruwa lokacin da aikace-aikacen ya ƙunshi bayanan da ba a amince da su ba a cikin shafin yanar gizon ba tare da ingantaccen inganci ko ɓoyewa ba. Wannan yana ba maharan damar aiwatar da mugayen rubutun a cikin burauzar wanda abin ya shafa, wanda ke haifar da satar lokaci, ayyuka marasa izini, da fallasa bayanai masu mahimmanci.
LiteLLM Proxy SQL allura (CVE-2026-42208)
Muhimmiyar raunin allurar SQL (CVE-2026-42208) a cikin sashin wakili na LiteLLM yana bawa maharan damar ketare tantancewa ko samun damar bayanan bayanai masu mahimmanci ta hanyar amfani da tsarin tabbatarwa na maɓallin API.
Hatsarin Tsaro na Rikodin Vibe: Ana duba lambar AI
Yunƙurin 'vibe codeing' — aikace-aikacen gini da farko ta hanyar saurin AI — yana gabatar da haɗari kamar ƙayyadaddun takaddun shaida da ƙirar lamba marasa tsaro. Saboda ƙirar AI na iya ba da shawarar lamba bisa bayanan horon da ke ɗauke da lahani, tilas ne a kula da fitar da su a matsayin marasa aminci da kuma tantancewa ta amfani da kayan aikin bincike na atomatik don hana fallasa bayanai.
Tsaro JWT: Hatsarin Alamu marasa tsaro da Bacewar Da'awar
JSON Web Tokens (JWTs) yana ba da ma'auni don canja wurin da'awar, amma tsaro ya dogara da ingantaccen inganci. Rashin tabbatar da sa hannu, lokutan ƙarewa, ko masu sauraro da aka yi niyya yana bawa maharan damar tsallake tantancewa ko sake kunna alamun.
Tsare Wuraren Vercel: Kariya da Mafi kyawun Ayyuka
Wannan binciken yana bincika saitin tsaro don aikace-aikacen da aka karɓa na Vercel, yana mai da hankali kan Kariyar Ƙarfafawa da masu kai HTTP na al'ada. Yana bayyana yadda waɗannan fasalulluka ke kare yanayin samfoti da kuma tilasta manufofin tsaro na gefen burauza don hana shiga mara izini da hare-haren yanar gizo gama gari.
Mahimmin allurar Umurnin OS a cikin LibreNMS (CVE-2024-51092)
Siffofin LibreNMS har zuwa 24.9.1 sun ƙunshi mummunan rauni na umarnin OS (CVE-2024-51092). Ingantattun maharan na iya aiwatar da umarni na sabani akan tsarin runduna, mai yuwuwar haifar da gabaɗayan daidaita abubuwan more rayuwa.
LiteLLM SQL allura a cikin Wakili API Tabbatar da Maɓalli (CVE-2026-42208)
Siffofin LiteLLM 1.81.16 zuwa 1.83.6 sun ƙunshi mahimmin raunin allura na SQL a cikin dabarar tantance maɓalli na Proxy API. Wannan aibi yana ba wa maharan da ba a tantance su damar ƙetare abubuwan sarrafa ingantattun bayanai ko samun dama ga bayanan da ke ciki. An warware matsalar a cikin sigar 1.83.7.
Dokokin Tsaro Firebase: Hana Bayyana Bayanai mara izini
Dokokin Tsaro Firebase sune kariya ta farko don aikace-aikacen sabar da ba ta amfani da Firestore da Cloud Storage. Lokacin da waɗannan ƙa'idodin suka yi yawa, kamar ba da damar karantawa ko rubuta damar yin rubutu a duniya, maharan na iya ƙetare dabarun aikace-aikacen da aka yi niyya don sata ko share bayanai masu mahimmanci. Wannan binciken yana bincika ɓangarori na gama gari, haɗarin 'yanayin gwaji', da yadda ake aiwatar da sarrafa tushen isa ga ainihi.
Kariyar CSRF: Kare Canje-canjen Jiha mara izini
Buƙatar Ƙirar Rushewar Yanar Gizo (CSRF) ta kasance babbar barazana ga aikace-aikacen yanar gizo. Wannan binciken yana bincika yadda tsarin zamani kamar Django ke aiwatar da kariya da kuma yadda matakan bincike-bincike kamar SameSite ke ba da zurfin tsaro-zurfin buƙatun mara izini.
API Lissafin Tsaro: Abubuwa 12 da Ya kamata Ka Bincika Kafin Rayuwa
APIs sune ƙashin bayan aikace-aikacen gidan yanar gizo na zamani amma galibi basu da ƙarfin tsaro na gaba-gaba na gargajiya. Wannan labarin binciken yana zayyana mahimman jerin abubuwan bincike don tabbatar da APIs, mai da hankali kan ikon samun dama, iyakance ƙima, da raba albarkatu na asali (CORS) don hana keta bayanai da cin zarafin sabis.
API Maɓallin Maɓalli: Hatsari da Gyarawa a cikin Ayyukan Yanar Gizo na zamani
Sirri mai ƙarfi a cikin lambar gaba ko tarihin ma'ajiya yana ba maharan damar yin kwaikwayon ayyuka, samun damar bayanan sirri, da kuma jawo farashi. Wannan labarin ya ƙunshi haɗari na ɓoye sirri da matakan da suka dace don tsaftacewa da rigakafi.
CORS Kuskuren Tsare-tsare: Hatsari na Manufofi Masu Halatta
Rarraba Albarkatun Asalin Ketare (CORS) wata hanya ce ta burauza wacce aka ƙera don shakata Manufofin Asalin Same ɗaya (SOP). Yayin da ya zama dole don ƙa'idodin gidan yanar gizo na zamani, aiwatar da rashin dacewa-kamar sake maimaita taken Asalin mai nema ko ba da izinin asalin 'rauni'—na iya ƙyale mugayen shafuka don fitar da bayanan mai amfani masu zaman kansu.
Kiyaye MVP: Hana Leaks Data a cikin AI-SaaS Abubuwan da aka Samar da su.
Aikace-aikacen SaaS da aka haɓaka da sauri sau da yawa suna fama da matsananciyar kulawar tsaro. Wannan binciken yana bincika yadda bayanan sirrin da aka fallasa su da karkatattun hanyoyin sarrafawa, kamar rasa Tsaro Level Security (RLS), haifar da babban tasiri a cikin tarin yanar gizo na zamani.