// vulnerability research
Vulnerability research for AI-built websites and apps.
Source-grounded notes on vulnerabilities that matter to AI-generated web apps, BaaS stacks, frontend bundles, auth, and dependency security.
Ngbanye SQL na Ọdịnaya Mụọ API (CVE-2026-26980)
Ụdị mmụọ 3.24.0 ruo 6.19.0 nwere adịghị ike ịgba ọgwụ SQL dị egwu na Ọdịnaya API. Nke a na-enye ohere ka ndị na-awakpo na-akwadoghị ịme iwu SQL aka ike, nke nwere ike ibute nchapụta data ma ọ bụ mgbanwe na-akwadoghị.
Research niile
34 articles
Mkpebi koodu dịpụrụ adịpụ na SPIP site na mkpado Template (CVE-2016-7998)
Ụdị SPIP 3.1.2 na mbụ nwere adịghị ike na onye na-ede template. Ndị na-awakpo akwadoro nwere ike bulite faịlụ HTML nwere mkpado INNCLUDE ma ọ bụ INCLURE arụpụtara iji mebie koodu PHP aka ike na sava ahụ.
Nkpughe ozi nhazi nhazi mpaghara MpagharaMinder (CVE-2016-10140)
Ụdị ZoneMinder 1.29 na 1.30 na-emetụta nrụrụ na-ezighi ezi Server Apache HTTP. Mmejọ a na-enye ohere ka ndị na-awakpo na-enweghị nkwenye chọgharịa na ndekọ mgbọrọgwụ weebụ, nwere ike ibute nkpughe ozi dị nro na ngafe nyocha.
Next.js Nchekwa nkụnye eji isi mee na next.config.js
Ngwa Next.js na-eji next.config.js maka njikwa nkụnye eji isi mee na-enwe ike ịnweta oghere nchekwa ma ọ bụrụ na usoro dabara adaba adabaghị. Nchọpụta a na-enyocha ka wildcard na regex misconfigurations si eduga na-efunahụ nkụnye eji isi mee nche na ụzọ ndị nwere mmetụta na-esi ike na nhazi.
Nhazi nkụnye eji isi mee nchekwa ezughị oke
Ngwa webụ na-adakarị mmejuputa isi ihe nchekwa dị mkpa, na-ahapụ ndị ọrụ ka ekpughere ederede saịtị (XSS), mkpọchi, na ntụtụ data. Site n'ịgbaso ntuziaka nchekwa weebụ hibere yana iji ngwaọrụ nyocha dị ka MDN Observatory, ndị mmepe nwere ike imesi ngwa ha ike nke ukwuu megide mwakpo dabere na ihe nchọgharị.
Mbelata OWASP Ihe ize ndụ iri kachasị na mmepe webụ ngwa ngwa
Ndị na-agba ọsọ Indie na ndị otu obere na-eche ihe ịma aka nchekwa pụrụ iche ihu mgbe ha na-ebuga ngwa ngwa, ọkachasị na koodu emepụtara AI. Nchọpụta a na-egosipụta ihe egwu na-eme ugboro ugboro site na CWE Top 25 na ụdị OWASP, gụnyere njikwa ohere gbajiri agbaji na nhazi enweghị nchebe, na-enye ntọala maka nlele nchekwa akpaaka.
Nhazi HTTP nkụnye eji isi mee na ngwa ndị ewepụtara AI
Ngwa ndị enyemaka AI mepụtara na-enwekarị isi nchekwa HTTP dị mkpa, na-emezughị ụkpụrụ nchekwa ọgbara ọhụrụ. Ọpụpụ a na-ahapụ ngwa weebụ ngwa ngwa na mwakpo ndị ahịa na-emekarị. Site n'iji akara ngosi dị ka Mozilla HTTP Observatory, ndị mmepe nwere ike ịchọpụta ihe nchebe na-efu dị ka CSP na HSTS iji melite ọnọdụ nchekwa ngwa ha.
Ịchọta na igbochi scripting Cross-Site (XSS) adịghị ike
Edemede n'ofe saịtị (XSS) na-eme mgbe ngwa gụnyere data enweghị ntụkwasị obi na ibe weebụ na-enweghị nkwado ma ọ bụ itinye koodu kwesịrị ekwesị. Nke a na-enye ndị na-awakpo ohere ịme scripts ọjọọ n'ime ihe nchọgharị onye ahụ, na-eduga na ntọọrọ oge, omume na-akwadoghị, yana ikpughe data dị nro.
LiteLLM Proxy SQL injection (CVE-2026-42208)
Ọdịmma injection SQL dị oke egwu (CVE-2026-42208) na mpaghara proxy LiteLLM na-enye ndị na-awakpo ohere ịgafe nyocha ma ọ bụ nweta ozi nchekwa data nwere mmetụta site na iji usoro nkwenye igodo API.
Ihe ize ndụ nchekwa nke koodu Vibe: Auditing AI-Ekepụtara Koodu
Mmụba nke 'vibe codeing' — ngwa ụlọ bụ isi site na ngwa ngwa AI na-akpalite — na-ewebata ihe egwu dị ka nzere koodu siri ike yana ụkpụrụ koodu enweghị nchebe. N'ihi na ụdị AI nwere ike na-atụ aro koodu dabere na data ọzụzụ nwere adịghị ike, a ga-emeso nsonaazụ ha ka enweghị ntụkwasị obi yana nyochaa site na iji ngwaọrụ nyocha akpaaka iji gbochie ikpughe data.
Nchekwa JWT: Ihe ize ndụ nke Token enweghị nchekwa yana nkwenye na-efu efu
JSON Web Tokens (JWTs) na-enye ọkọlọtọ maka ịnyefe nkwupụta, mana nchekwa dabere na nkwado siri ike. Ọdịda ịchọpụta mbinye aka, oge njedebe, ma ọ bụ ndị echere na-eme ka ndị na-awakpo ghara ịgafe nyocha ma ọ bụ megharịa token.
Na-echekwa Vercel Nnyekwasa: Nchekwa na Omume kacha mma
Nchọpụta a na-enyocha nhazi nchekwa maka ngwa ndị Vercel na-akwado, na-elekwasị anya na Nchekwa Deployment na ndị isi HTTP omenala. Ọ na-akọwa otu njirimara ndị a si echebe gburugburu nhụchalụ yana manye atumatu nchekwa n'akụkụ ihe nchọgharị iji gbochie ohere na-enwetaghị ikike yana mwakpo weebụ nkịtị.
Ntunye iwu OS dị mkpa na LibreNMS (CVE-2024-51092)
Ụdị LibreNMS ruo 24.9.1 nwere os dị oke egwu adịghị ike ịgbanye iwu (CVE-2024-51092). Ndị na-awakpo akwadoro nwere ike mebie iwu aka ike na sistemu nnabata, nwere ike bute mmebi mkpokọta akụrụngwa nlekota.
Ntinye LiteLLM SQL na Proxy API nkwenye igodo (CVE-2026-42208)
Ụdị LiteLLM 1.81.16 ruo 1.83.6 nwere adịghị ike ịgba ọgwụ SQL dị egwu na mgbagha nkwenye igodo API. Mmejọ a na-enye ndị na-awakpo akọwapụtaghị ikike ịgafe njikwa nyocha ma ọ bụ nweta nchekwa data dị n'okpuru. E doziri nsogbu ahụ na ụdị 1.83.7.
Firebase Iwu nchekwa: igbochi mkpughe data enwetaghị ikike
Firebase Iwu nchekwa bụ isi nchekwa maka ngwa enweghị nkesa site na iji Firestore na Nchekwa igwe ojii. Mgbe iwu ndị a na-anabata oke, dị ka ikwe ka agụ ma ọ bụ dee ohere zuru ụwa ọnụ na mmepụta, ndị na-awakpo nwere ike gafere mgbagha ngwa echere iji zuo ma ọ bụ hichapụ data nwere mmetụta. Nchọcha a na-enyocha nhazigharị ndị a na-ahụkarị, ihe egwu dị na ndabara 'ụkpụrụ ule' na otu esi emejuputa njikwa nnweta dabere na njirimara.
Nchedo CSRF: Na-agbachitere Mgbanwe Ọchịchị Na-akwadoghị
Arịrịọ nke saịtị gafere (CSRF) ka bụ nnukwu ihe iyi egwu na ngwa weebụ. Nnyocha a na-enyocha ka usoro ọgbara ọhụrụ dị ka Django si eme ihe nchebe yana otu njirimara ọkwa ihe nchọgharị dị ka SameSite si enye nchebe-n'omimi megide arịrịọ na-enweghị ikike.
API Ndepụta Nchekwa: Ihe iri na abụọ ị ga-elele tupu ọ dị ndụ
API bụ ọkpụkpụ azụ nke ngwa weebụ ọgbara ọhụrụ mana ha anaghị enwekarị nchekwa nchekwa nke ihu ọdịnala. Edemede nyocha a na-akọwapụta ndepụta nyocha dị mkpa maka ichekwa API, na-elekwasị anya na njikwa ohere, mmachi ọnụego, yana ikesa akụrụngwa sitere na mbata (CORS) iji gbochie mmebi data na mmegbu ọrụ.
API Mwepu isi: Ihe ize ndụ na mmezi na ngwa webụsaịtị ọgbara ọhụrụ
Nzuzo nwere koodu siri ike na koodu frontend ma ọ bụ akụkọ ihe mere eme na-enye ndị na-awakpo ohere ịme onwe ha ọrụ, nweta data nkeonwe, ma nweta ụgwọ. Edemede a na-ekpuchi ihe egwu dị na mgbapu nzuzo yana usoro dị mkpa maka nhicha na mgbochi.
CORS Nhazi na-ezighi ezi: Ihe ize ndụ nke amụma na-anabata oke
Ịkekọrịta ihe enyemaka gafere-Origin (CORS) bụ usoro ihe nchọgharị emebere iji mee ka izu ike nke Otu-Origin Policy (SOP). Ọ bụ ezie na ọ dị mkpa maka ngwa weebụ ọgbara ọhụrụ, mmejuputa iwu na-ezighi ezi-dị ka ikwughachi isi mmalite nke onye na-arịọ arịrịọ ma ọ bụ idepụta mmalite 'null' nwere ike ikwe ka saịtị ọjọọ wepụta data onye ọrụ nkeonwe.
Ichekwa MVP: igbochi ntapu data na ngwa SaaS emepụtara AI
Ngwa SaaS mepere emepe ngwa ngwa na-enwekarị nlekọta nchekwa dị oke egwu. Nchọcha a na-enyocha etu nzuzo siri gbasa na njikwa ohere gbajiri agbaji, dịka nchekwa nchekwa ọkwa larịị na-efu (RLS), mepụta adịghị ike dị elu na nchịkọta weebụ ọgbara ọhụrụ.