Vulnerability Database
Web Security Vulnerabilities
A practical reference covering the most critical vulnerabilities in modern web apps — with real attack examples, fixes, and how VibeWShield detects each one.
Cloud Storage Misconfiguration
Publicly accessible S3 buckets, GCS buckets, and Vercel/Netlify deployments expose sensitive files, environment variables, and internal build artifacts — a critical risk in AI-generated apps.
Command Injection
Command injection lets attackers execute arbitrary OS commands on your server by injecting shell metacharacters into inputs that are passed to system commands.
Exposed Secrets & API Keys
Hardcoded API keys, tokens, and credentials accidentally leaked in JavaScript bundles, source maps, or public endpoints — a leading cause of cloud breaches.
HTTP Request Smuggling
HTTP Request Smuggling exploits discrepancies between how a frontend proxy and a backend server parse the boundaries of HTTP requests, allowing attackers to inject requests that are processed on behalf of other users.
LDAP Injection
Unsanitized input in LDAP search filters enables authentication bypass, directory enumeration, and data extraction from enterprise directory services.
MCP Server Security
Unauthenticated MCP servers, tool poisoning via prompt injection, and overly-permissive tool scopes give attackers direct access to AI agent capabilities — file reads, command execution, and database queries.
Prompt Injection
Prompt injection hijacks AI/LLM-powered features by injecting instructions into user inputs, causing the model to ignore its system prompt and perform unintended actions.
Server-Side Template Injection (SSTI)
SSTI occurs when user input is embedded into a template engine without sanitization, allowing attackers to execute arbitrary code on the server.
SQL Injection
SQL Injection lets attackers manipulate database queries by injecting malicious SQL code through user input, potentially exposing, modifying, or destroying all data in a database.
Web Cache Deception
Tricks CDN caches into storing personalised pages as static resources — an attacker's single crafted URL leaks the victim's private data to anyone who requests it.
Business Logic Abuse
Business logic vulnerabilities allow attackers to exploit flaws in application workflows — bypassing payment steps, applying discounts multiple times, or escalating privileges by manipulating parameters that the application trusts without verification.
Cross-Site Scripting (XSS)
XSS lets attackers inject malicious scripts into web pages viewed by other users, enabling session hijacking, credential theft, and full account takeover.
DNS Misconfiguration
DNS Zone Transfer attacks, missing DNSSEC, absent CAA records, and low-TTL rebinding vectors expose infrastructure details and enable subdomain takeover in vibe-coded apps.
GraphQL Security
GraphQL misconfigurations — enabled introspection, missing query depth limits, and unlimited batching — expose your entire API schema to attackers and enable resource exhaustion attacks that can take down your server with a single query.
Host Header Injection
Host Header Injection tricks web applications into using an attacker-controlled domain when generating absolute URLs — poisoning password reset links, cache entries, and redirects to redirect victims to attacker infrastructure.
HTTP/2 Attacks
H2C cleartext upgrade smuggling and CONNECT tunneling bypass proxy-layer authentication, rate limiting, and IP restrictions — reaching backend services directly.
Insecure Deserialization
Insecure deserialization allows attackers to tamper with serialized objects to achieve remote code execution, authentication bypass, or denial of service by exploiting language-specific deserialization gadget chains.
Insecure Direct Object Reference (IDOR)
IDOR lets attackers access other users' data by manipulating object identifiers in requests — changing user IDs, document IDs, or UUIDs to reach unauthorized resources.
Integer Overflow & Type Juggling
AI-generated code rarely validates numeric input types. Attackers send negative prices, NaN quantities, or overflow values to manipulate business logic — free items, infinite credits, or server crashes.
JWT Security Issues
Insecure JWT implementations — weak secrets, algorithm confusion, missing validation — let attackers forge tokens and impersonate any user including admins.
Mass Assignment
Mass assignment vulnerabilities occur when an API binds all user-supplied fields to a data model without filtering, allowing attackers to set fields they should never control — such as role, isAdmin, or plan — and escalate their own privileges.
NoSQL Injection
NoSQL injection manipulates MongoDB, Firebase, and other NoSQL database queries by injecting operator objects, bypassing authentication and exposing all records.
OAuth2 Security Misconfigurations
OAuth2 misconfigurations — open redirect_uri, missing PKCE, implicit flow, exposed client secrets — allow attackers to steal authorization codes and access tokens, leading to full account takeover without knowing the victim's password.
Path Traversal
Path traversal lets attackers access files outside the intended directory by injecting ../ sequences into file path parameters, exposing server configuration, credentials, and source code.
Payment Security (PCI-DSS)
Vibe-coded checkout pages frequently expose raw card inputs in the DOM, skip 3DS/SCA authentication, and forget to verify Stripe webhook signatures — turning a payment form into a data exfiltration endpoint.
Prototype Pollution
Prototype pollution lets attackers inject properties into JavaScript's Object prototype, affecting all objects in the application and potentially leading to remote code execution or authentication bypass.
Race Condition (TOCTOU)
Race conditions occur when multiple concurrent requests exploit a Time-of-Check to Time-of-Use window — allowing attackers to apply promo codes multiple times, double-spend balances, or claim rewards that should only be redeemable once.
Server-Side Request Forgery (SSRF)
SSRF tricks your server into making HTTP requests to internal infrastructure — cloud metadata endpoints, internal APIs, and services that should never be reachable from the internet.
Subdomain Takeover
Subdomain takeover lets attackers claim abandoned subdomains pointing to deprovisioned cloud services, hosting malicious content that appears to come from your trusted domain.
Web Cache Poisoning
Web cache poisoning tricks a caching layer into storing a malicious response and serving it to all subsequent users, turning a single attacker's request into a persistent attack affecting every visitor.
WebSocket Security
WebSocket vulnerabilities — unencrypted connections, missing authentication, and Cross-Site WebSocket Hijacking — allow attackers to intercept real-time data, send unauthorized messages, and hijack WebSocket sessions using a victim's browser cookies.
XML External Entity (XXE)
XXE injection exploits XML parsers to read local files, perform SSRF, or cause denial of service by defining malicious external entity references in XML input.
Account Enumeration
Account enumeration lets attackers discover which email addresses or usernames are registered by exploiting different server responses for valid vs. invalid accounts — enabling targeted phishing, credential stuffing, and brute-force attacks.
Client-Side Path Traversal
JavaScript constructs API paths from user input without sanitization — attackers inject ../ sequences in the browser to access unauthorized endpoints, invisible to WAFs.
CORS Misconfiguration
Misconfigured Cross-Origin Resource Sharing allows malicious websites to make authenticated API requests on behalf of logged-in users, stealing data and performing actions without consent.
Cross-Site Request Forgery (CSRF)
CSRF tricks authenticated users into unknowingly submitting requests to your application — changing their email, transferring funds, or deleting their account — from a malicious third-party site.
Dangling Markup Injection
When XSS is blocked by CSP but input is reflected without encoding, an unclosed HTML tag can exfiltrate sensitive page content to an attacker's server.
Email Security (SPF / DMARC / DKIM)
Missing or misconfigured SPF, DMARC, and DKIM records allow anyone on the internet to send emails that appear to come from your domain — enabling phishing attacks on your users and damaging your brand reputation with zero technical access to your systems.
HTTP Parameter Pollution
Sending the same parameter twice in a request exploits inconsistent server parsing — bypassing WAFs, overriding security parameters, and altering business logic without triggering validation.
Missing Rate Limiting
Without rate limiting, attackers can brute-force passwords and OTPs, scrape your entire database, enumerate valid accounts, and spam your API with unlimited requests at zero cost.
Missing Subresource Integrity (SRI)
Without SRI, a compromised CDN can serve malicious JavaScript or CSS to all your users — silently stealing credentials, injecting ads, or taking over sessions.
Open Redirect
Open redirects allow attackers to craft trusted-looking URLs on your domain that redirect victims to malicious sites — enabling phishing, credential theft, and OAuth token hijacking.
security.txt & robots.txt Audit
Missing or misconfigured security.txt hinders responsible disclosure, while robots.txt can inadvertently reveal sensitive internal paths to attackers.
Free Security Scan
Is your app vulnerable?
VibeWShield automatically tests your app for all vulnerabilities in this database using 63 scanners. Results in under 3 minutes. No signup required.
Scan your app free