Vulnerability Name CVE Severity
.htaccess File Detected
Access-Control-Allow-Origin header with wildcard (*) value
Active Mixed Content over HTTPS
Adobe ColdFusion 9 administrative login bypass CVE-2013-0625 CVE-2013-0629 CVE-2013-0631 CVE-2013-0632
Adobe Experience Manager Information Disclosure via Apache Sling v2.3.6 vulnerability CVE-2016-0956
Adobe Experience Manager Misconfiguration CVE-2016-0957
Apache Airflow Experimental API Auth Bypass CVE-2020-13927 CVE-2020-13927
Apache Axis2 administration console weak password
Apache Cassandra Unauthorized Access Vulnerability
Apache configured to run as proxy
Apache Geronimo default administrative credentials
Apache JServ protocol service
Apache Kafka Unauthorized Access Vulnerability
Apache mod_negotiation filename bruteforcing
Apache perl-status enabled
Apache Proxy HTTP CONNECT method enabled
Apache REST RCE CVE-2018-11770
Apache Roller OGNL injection CVE-2013-4212
Apache Server-Info Detected
Apache Server-Status Detected
Apache Solr endpoint
Apache solr service exposed
Apache Spark Master Unauthorized Access Vulnerability
Apache Spark Web UI Unauthorized Access Vulnerability
Apache stronghold-info enabled
Apache stronghold-status enabled
Apache Tapestry weak secret key
Apache Tomcat examples directory vulnerabilities
Apache Tomcat insecure default administrative password
Apache Tomcat version older than 6.0.35 CVE-2011-3190 CVE-2011-3375 CVE-2012-0022
Apache Tomcat version older than 6.0.36 CVE-2012-2733 CVE-2012-3439 CVE-2012-3546 CVE-2012-4431 CVE-2012-4534
Apache Tomcat version older than 7.0.21 CVE-2011-3190
Apache Tomcat version older than 7.0.23 CVE-2012-0022
Apache Tomcat version older than 7.0.28 CVE-2012-2733 CVE-2012-4534
Apache Tomcat version older than 7.0.30 CVE-2012-3439 CVE-2012-3544 CVE-2012-3546
Apache Tomcat version older than 7.0.32 CVE-2012-4431
Apache ZooKeeper Unauthorized Access Vulnerability
Application is Vulnerable to the JWT Alg None Attack
Arbitrary File Read on Nuxt.js Development Server
ASP.NET: Failure To Require SSL For Authentication Cookies
ASP.NET application-level tracing enabled
ASP.NET ASPX debugging enabled
ASP.NET connection strings stored in plaintext
ASP.NET cookieless authentication enabled
ASP.NET Cookieless session state enabled
ASP.NET cookies accessible from client-side scripts
ASP.NET Core Development Mode enabled
ASP.NET CustomErrors Is Disabled
ASP.NET debugging enabled
ASP.NET Deny missing from authorization rule on location
ASP.NET diagnostic page
ASP.NET error message
ASP.NET event validation disabled
ASP.NET expired session IDs are not regenerated
ASP.NET forms authentication using inadequate protection
ASP.NET header checking is disabled in web.config
ASP.NET login credentials stored in plain text
ASP.NET potential HTTP Verb Tampering
ASP.NET ValidateRequest Is Globally Disabled
ASP.NET viewstate encryption disabled
ASP.NET ViewStateUserKey Is Not Set
ASP.NET WCF metadata enabled for behavior
ASP.NET WCF replay attacks are not detected
ASP.NET WCF service include exception details
Atlassian Jira insecure REST permissions
Atlassian JIRA Servicedesk misconfiguration
Axis development mode enabled in WEB-INF/server-config.wsdd
Axis system configuration listing enabled in WEB-INF/server-config.wsdd
BottlePy weak secret key
Broken Link Hijacking
Case-Insensitive Routing Bypass in Express.js Application
Chrome Logger information disclosure
Clickjacking: CSP frame-ancestors missing
CodeIgniter development mode enabled
CodeIgniter session decoding vulnerability
CodeIgniter weak encryption key
ColdFusion administrator login page publicly available
ColdFusion RDS Service enabled
Consul API publicly exposed
Content Security Policy (CSP) Not Implemented
Content Security Policy Misconfiguration
Cookie signed with weak secret key
Cookies Not Marked as HttpOnly
Cookies Not Marked as Secure
Cookies with missing, inconsistent or contradictory properties
Cookies with Secure flag set over insecure connection
Core dump file
CouchDB REST API publicly accessible
CRIME SSL/TLS attack CVE-2012-4929
Custom Error Pages Are Not Configured in WEB-INF/web.xml
Delve Debugger Unauthorized Access Vulnerability
Devise weak password
Directory listings
Django Debug Toolbar
Django weak secret key
Docker Engine API is accessible without authentication
Docker Registry API is accessible without authentication
Drupal configuration file weak file permissions
Drupal trusted_host_patterns setting not configured
Elasticsearch service accessible
Elmah.axd / Errorlog.axd Detected
Error page path disclosure
Error page web server version disclosure
Express cookie-session weak secret key
Express express-session weak secret key
Express running in development mode
File Upload Functionality Detected
Firebase database accessible without authentication
Flask weak secret key
Frontpage authors.pwd available
FrontPage Identified
Gitlab open user registration
Gitlab user disclosure
GlassFish admin console weak credentials
GoCD information disclosure (CVE-2021-43287) CVE-2021-43287
Go web application binary disclosure
Grails database console
GraphiQL Explorer/Playground Enabled
GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability
GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability
GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability
GraphQL Field Suggestions Enabled
GraphQL Introspection Query Enabled
GraphQL Non-JSON Mutations over GET: Potential CSRF Vulnerability
GraphQL Non-JSON Queries over GET: Potential CSRF Vulnerability
GraphQL Non-JSON Queries over POST: Potential CSRF Vulnerability
GraphQL Unauthenticated Mutation Detected
GraphQL Unhandled Error Leakage
H2 console publicly accessible
Hadoop cluster web interface
Hadoop YARN ResourceManager publicly accessible
Hostile subdomain takeover
HTTP header reflected in cached response
Httpoxy vulnerability
HTTP Strict Transport Security (HSTS) Errors and Warnings
HTTP Strict Transport Security (HSTS) Policy Not Enabled
HTTP verb tampering via POST
IBM WebSphere administration console weak password
IIS extended unicode directory traversal vulnerability CVE-2000-0884
InfluxDB Unauthorized Access Vulnerability
Insecure crossdomain.xml policy
Insecure Referrer Policy
Insecure Transportation Security Protocol Supported (SSLv2)
Insecure Transportation Security Protocol Supported (SSLv3)
Insecure Transportation Security Protocol Supported (TLS 1.0)
Insecure Transportation Security Protocol Supported (TLS 1.1)
Internet Information Server returns IP address in HTTP header (Content-Location)
Invalid SSL Certificate
JAAS authentication bypass
Java Debug Wire Protocol remote code execution
Java Management Extensions (JMX/RMI) service detected
JavaMelody publicly accessible
JBoss BSHDeployer MBean
JBoss HttpAdaptor JMXInvokerServlet
JBoss JMX Console Unrestricted Access
JBoss JMX management console
JBoss ServerInfo MBean CVE-2010-0738
JBoss Server MBean
JBoss Web Console JMX Invoker
Jenkins Git Plugin missing permission check (CVE-2022-36883)
Jenkins open people list
Jenkins open user registration
Jenkins weak password
Jetpack 2.9.3: Critical Security Update CVE-2014-0173
Jetty ConcatServlet Information Disclosure (CVE-2021-28169) CVE-2021-28169
Jetty Information Disclosure (CVE-2021-34429) CVE-2021-34429
JIRA Security Advisory 2013-02-21
Joomla! 3.2.1 sql injection
Joomla! Core Security Bypass CVE-2017-11364
Joomla 1.5 end of life
Joomla Debug Console enabled
Joomla J!Dump extension enabled
JSF ViewState client side storage
Jupyter Notebook publicly accessible
Kentico Staging API publicly accessible
Laravel debug mode enabled
Laravel debug mode enabled (AcuSensor)
Laravel Health Monitor open
Laravel Horizon open
Laravel LogViewer open
Laravel Terminal open
Magento Cacheleak
Magento Config File Disclosure
MediaWiki remote code execution CVE-2014-1610
Memcached Unauthorized Access Vulnerability
Method Tampering
Microsoft Frontpage configuration information
Microsoft IIS5 NTLM and Basic authentication bypass CVE-2007-2815
Microsoft IIS WebDAV authentication bypass CVE-2009-1535
Misconfigured Access-Control-Allow-Origin Header
Missing Content-Type Header
Mojolicious weak secret key
MovableType remote code execution CVE-2015-1592
Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28 CVE-2014-0185
Multiple vulnerabilities in Ioncube loader-wizard.php
MySQL utf8 4-byte truncation
Nginx PHP code execution via FastCGI
nginx SPDY heap buffer overflow CVE-2014-0133
Node.js Debugger Unauthorized Access Vulnerability
Node.js Inspector Unauthorized Access Vulnerability
Node.js Running in Development Mode
Node.js Web Application does not handle uncaughtException
Node.js Web Application does not handle unhandledRejection
Nuxt.js Running in Development Mode
OData feed accessible anonymously
Open Silverlight Client Access Policy
Oracle applications logs publicy available
Oracle E-Business Suite Frame Injection (CVE-2017-3528) CVE-2017-3528
Oracle E-Business Suite Information Disclosure
Oracle E-Business Suite iStore open user registration
Oracle PeopleSoft SSO weak secret key
OSGi Management Console Default Credentials
Overly long session timeout in servlet configuration
Padding oracle attack
Passive Mixed Content over HTTPS
Pentaho API Auth bypass (CVE-2021-31602) CVE-2021-31602
Permissions-Policy header not implemented
PHP allow_url_fopen Is Enabled
PHP allow_url_include enabled
PHP allow_url_include Is Enabled
PHP display_errors Is Enabled
PHP enable_dl enabled
PHP errors enabled
Phpfastcache phpinfo publicly accessible (CVE-2021-37704) CVE-2021-37704
PHP magic_quotes_gpc is disabled
PHP open_basedir Is Not Configured
PHP open_basedir is not set
PHP register_globals enabled
PHP register_globals Is Enabled
PHP session.use_only_cookies Is Disabled
PHP session.use_trans_sid enabled
Pyramid debug mode
Pyramid DebugToolbar enabled
Python Debugger Unauthorized Access Vulnerability
qdPM Information Disclosure
Rails application running in development mode
Reachable SharePoint interface
Redis Unauthorized Access Vulnerability
Request Smuggling
RethinkDB administrative interface publicly exposed
Reverse Proxy Detected
RoR Database Configuration File Detected
Roundcube security updates 0.8.6 and 0.7.3 CVE-2013-1904
Ruby framework weak secret key
Ruby on Rails Running in Development Mode
Ruby on Rails weak/known secret token CVE-2013-0156
Same site scripting
SAP ICF /sap/public/info sensitive information disclosure
SAP Knowledge Management and Collaboration (KMC) incorrect permissions
SAP Management Console get user list
SAP Management Console list logfiles
SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
SAP NetWeaver server info information disclosure
SAP NetWeaver server info information disclosure BCB
SAP weak/predictable user credentials
Sensitive pages could be cached
Session cookies scoped to parent domain
Session ID in URL
SharePoint exposed web services
SharePoint user enumeration
Spring Boot Actuator
Spring Boot Actuator v2
Spring Boot Misconfiguration: Actuator endpoint security disabled
Spring Boot Misconfiguration: Admin MBean enabled
Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
Spring Boot Misconfiguration: Developer tools enabled on production
Spring Boot Misconfiguration: H2 console enabled
Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
Spring Boot Misconfiguration: Overly long session timeout
Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed
Spring Boot Misconfiguration: Unsafe value for session tracking
Spring Misconfiguration: HTML Escaping disabled
SSL Certificate Is About To Expire
Struts 2 Config Browser plugin enabled
Struts 2 development mode
Struts2 Development Mode Enabled
Subresource Integrity (SRI) Not Implemented
Symfony debug mode enabled (AcuSensor)
Symfony ESI (Edge-Side Includes) enabled
Symfony running in dev mode
Symfony web debug toolbar
The DROWN attack (SSLv2 supported) CVE-2016-0800
The FREAK attack CVE-2015-0204
The Heartbleed Bug CVE-2014-0160
The POODLE attack (SSLv3 with CBC cipher suites) CVE-2014-3566
TLS/SSL certificate key size too small
TLS/SSL LOGJAM attack CVE-2015-4000
TLS/SSL Sweet32 attack CVE-2016-2183 CVE-2016-6329
TLS/SSL Weak Cipher Suites
Tomcat status page
Tornado debug mode
Tornado weak secret key
Trace.axd Detected
TRACE/TRACK Method Detected
TRACK method is enabled
Unauthorized Access to a web app installer
Unchecked GraphQL Query Length: Potential Denial of Service Vulnerability
Unicode Transformation (Best-Fit Mapping)
Unprotected Apache NiFi API interface
Unprotected Kong Gateway Admin API interface
Unprotected phpMyAdmin interface
Unrestricted access to a monitoring system
Unrestricted access to Caddy API interface
Unrestricted access to Haproxy Data Plane API
Unrestricted access to ImageResizer Diagnotics plugin
Unrestricted access to Kong Gateway API
Unrestricted access to Prometheus
Unrestricted access to Prometheus Metrics
Unsafe value for session tracking in WEB-INF/web.xml
Verb tampering via misconfigured security constraint
Version Disclosure (IIS)
ViewState MAC Disabled
Virtual Host locations misconfiguration
Vulnerable project dependencies
W3 total cache debug mode
Weak password
Weak Secret is Used to Sign JWT
Weak WordPress security key
Web2py weak secret key
Webalizer script
Web application default/weak credentials
Web Application Firewall Detected
Web Cache Deception
Web Cache Poisoning
Web Cache Poisoning DoS
Web Cache Poisoning DoS (for javascript)
Web Cache Poisoning DoS through HTTP/2 headers
Web Cache Poisoning through HTTP/2 pseudo-headers
Web Cache Poisoning via Fat GET Request
Web Cache Poisoning via Host Header
Web Cache Poisoning via JSONP and UTM_ parameter
Web Cache Poisoning via POST Request
Web Cache Poisoning via semicolon query separator
WebDAV Directory Has Write Permissions
WebDAV directory listing
WebDAV Enabled
WebDAV remote code execution
WebLogic admin console weak credentials
Webmail weak password
WebPageTest Unauthorized Access Vulnerability
Web server default welcome page
WordPress admin accessible without HTTP authentication
WordPress allows editing theme/plugin files
WordPress configuration file weak file permissions
WordPress default administrator account
WordPress readme.html file
WordPress user registration enabled
Xdebug remote code execution via xdebug.remote_connect_back
XML entity injection
XML external entity injection
XML external entity injection (variant)
XML external entity injection and XML injection
XML External Entity Injection via external file
XML external entity injection via File Upload
Yii2 debug toolkit
Yii2 Gii extension
Yii2 weak secret key
Yii debug mode enabled
Yii running in dev mode
[Possible] AWStats Detected
[Possible] Password Transmitted over Query String