Vulnerability Name CVE Severity
.htaccess file readable
Access-Control-Allow-Origin header with wildcard (*) value
Adobe ColdFusion 9 administrative login bypass CVE-2013-0625 CVE-2013-0629 CVE-2013-0631 CVE-2013-0632
Adobe Experience Manager Information Disclosure via Apache Sling v2.3.6 vulnerability CVE-2016-0956
Adobe Experience Manager Misconfiguration CVE-2016-0957
Apache Axis2 administration console weak password
Apache Cassandra Unauthorized Access Vulnerability
Apache configured to run as proxy
Apache Geronimo default administrative credentials
Apache JServ protocol service
Apache Kafka Unauthorized Access Vulnerability
Apache mod_negotiation filename bruteforcing
Apache perl-status enabled
Apache Proxy HTTP CONNECT method enabled
Apache REST RCE CVE-2018-11770
Apache Roller OGNL injection CVE-2013-4212
Apache server-info enabled
Apache server-status enabled
Apache Solr endpoint
Apache solr service exposed
Apache Spark Master Unauthorized Access Vulnerability
Apache Spark Web UI Unauthorized Access Vulnerability
Apache stronghold-info enabled
Apache stronghold-status enabled
Apache Tapestry weak secret key
Apache Tomcat examples directory vulnerabilities
Apache Tomcat insecure default administrative password
Apache Tomcat version older than 6.0.35 CVE-2011-3190 CVE-2011-3375 CVE-2012-0022
Apache Tomcat version older than 6.0.36 CVE-2012-2733 CVE-2012-3439 CVE-2012-3546 CVE-2012-4431 CVE-2012-4534
Apache Tomcat version older than 7.0.21 CVE-2011-3190
Apache Tomcat version older than 7.0.23 CVE-2012-0022
Apache Tomcat version older than 7.0.28 CVE-2012-2733 CVE-2012-4534
Apache Tomcat version older than 7.0.30 CVE-2012-3439 CVE-2012-3544 CVE-2012-3546
Apache Tomcat version older than 7.0.32 CVE-2012-4431
Apache ZooKeeper Unauthorized Access Vulnerability
ASP.NET application-level tracing enabled
ASP.NET application trace enabled
ASP.NET ASPX debugging enabled
ASP.NET connection strings stored in plaintext
ASP.NET cookieless authentication enabled
ASP.NET Cookieless session state enabled
ASP.NET cookies accessible from client-side scripts
ASP.NET custom errors disabled
ASP.NET debugging enabled
ASP.NET Deny missing from authorization rule on location
ASP.NET diagnostic page
ASP.NET EnableViewStateMac turned off
ASP.NET error message
ASP.NET event validation disabled
ASP.NET expired session IDs are not regenerated
ASP.NET failure to require SSL for authentication cookies
ASP.NET forms authentication using inadequate protection
ASP.NET header checking is disabled in web.config
ASP.NET login credentials stored in plain text
ASP.NET potential HTTP Verb Tampering
ASP.NET ValidateRequest globally disabled
ASP.NET viewstate encryption disabled
ASP.NET ViewStateUserKey not set
ASP.NET WCF metadata enabled for behavior
ASP.NET WCF replay attacks are not detected
ASP.NET WCF service include exception details
AWStats script
Axis development mode enabled in WEB-INF/server-config.wsdd
Axis system configuration listing enabled in WEB-INF/server-config.wsdd
BottlePy weak secret key
Broken Link Hijacking
Chrome Logger information disclosure
CodeIgniter development mode enabled
CodeIgniter session decoding vulnerability
CodeIgniter weak encryption key
ColdFusion administrator login page publicly available
ColdFusion RDS Service enabled
Content Security Policy (CSP) not implemented
Content Security Policy Misconfiguration
Content type is not specified
Cookie signed with weak secret key
Cookies with missing, inconsistent or contradictory properties
Cookies without HttpOnly flag set
Cookies without Secure flag set
Cookies with Secure flag set over insecure connection
Core dump file
CouchDB REST API publicly accessible
CRIME SSL/TLS attack CVE-2012-4929
Custom error pages are not configured
Devise weak password
Directory listings
Django Debug Toolbar
Django weak secret key
Docker Engine API is accessible without authentication
Docker Registry API is accessible without authentication
Drupal configuration file weak file permissions
Drupal trusted_host_patterns setting not configured
Elasticsearch service accessible
elmah.axd information disclosure
Error page path disclosure
Error page web server version disclosure
Express cookie-session weak secret key
Express express-session weak secret key
Express running in development mode
File uploads
Firebase database accessible without authentication
Flask weak secret key
Frontpage authors.pwd available
Frontpage extensions enabled
GlassFish admin console weak credentials
Grails database console
GraphiQL Explorer/Playground Enabled
GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability
GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability
GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability
GraphQL Field Suggestions Enabled
GraphQL Introspection Query Enabled
GraphQL Non-JSON Mutations over GET: Potential CSRF Vulnerability
GraphQL Non-JSON Queries over GET: Potential CSRF Vulnerability
GraphQL Unhandled Error Leakage
H2 console publicly accessible
Hadoop cluster web interface
Hadoop YARN ResourceManager publicly accessible
Hostile subdomain takeover
HTTP header reflected in cached response
Httpoxy vulnerability
HTTP verb tampering
HTTP verb tampering via POST
IBM WebSphere administration console weak password
IIS extended unicode directory traversal vulnerability CVE-2000-0884
Internet Information Server returns IP address in HTTP header (Content-Location)
JAAS authentication bypass
Java Debug Wire Protocol remote code execution
Java Management Extensions (JMX/RMI) service detected
JavaMelody publicly accessible
JBoss BSHDeployer MBean
JBoss HttpAdaptor JMXInvokerServlet
JBoss JMX Console Unrestricted Access
JBoss JMX management console
JBoss ServerInfo MBean CVE-2010-0738
JBoss Server MBean
JBoss Web Console JMX Invoker
Jenkins weak password
Jetpack 2.9.3: Critical Security Update CVE-2014-0173
JIRA Security Advisory 2013-02-21
Joomla! 3.2.1 sql injection
Joomla! Core Security Bypass CVE-2017-11364
Joomla 1.5 end of life
JSF ViewState client side storage
Jupyter Notebook publicly accessible
JWT none algorithm
JWT weak secret key
Laravel debug mode enabled (AcuSensor)
Magento Cacheleak
MediaWiki remote code execution CVE-2014-1610
Memcached Unauthorized Access Vulnerability
Microsoft Frontpage configuration information
Microsoft IIS5 NTLM and Basic authentication bypass CVE-2007-2815
Microsoft IIS WebDAV authentication bypass CVE-2009-1535
Mojolicious weak secret key
MovableType remote code execution CVE-2015-1592
Multiple vulnerabilities fixed in PHP versions 5.5.12 and 5.4.28 CVE-2014-0185
Multiple vulnerabilities in Ioncube loader-wizard.php
MySQL utf8 4-byte truncation
Nginx PHP code execution via FastCGI
nginx SPDY heap buffer overflow CVE-2014-0133
Node.js Web Application does not handle uncaughtException
Node.js Web Application does not handle unhandledRejection
OData feed accessible anonymously
Oracle applications logs publicy available
Oracle PeopleSoft SSO weak secret key
OSGi Management Console Default Credentials
Overly long session timeout in servlet configuration
Padding oracle attack
Permissions-Policy header not implemented
PHP allow_url_fopen enabled
PHP allow_url_fopen enabled
PHP allow_url_include enabled
PHP allow_url_include enabled
PHP enable_dl enabled
PHP errors enabled
PHP errors enabled
PHP magic_quotes_gpc is disabled
PHP open_basedir is not set
PHP open_basedir is not set
PHP register_globals enabled
PHP register_globals enabled
PHP session.use_only_cookies disabled
PHP session.use_trans_sid enabled
PHP session.use_trans_sid enabled
Pyramid debug mode
Rails application running in development mode
Reachable SharePoint interface
Redis Unauthorized Access Vulnerability
RethinkDB administrative interface publicly exposed
Reverse proxy detected
Roundcube security updates 0.8.6 and 0.7.3 CVE-2013-1904
Ruby framework weak secret key
Ruby on Rails database configuration file
Ruby on Rails weak/known secret token CVE-2013-0156
Same site scripting
SAP ICF /sap/public/info sensitive information disclosure
SAP Knowledge Management and Collaboration (KMC) incorrect permissions
SAP Management Console get user list
SAP Management Console list logfiles
SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
SAP NetWeaver server info information disclosure
SAP NetWeaver server info information disclosure BCB
SAP weak/predictable user credentials
Session cookies scoped to parent domain
SharePoint exposed web services
SharePoint user enumeration
Spring Boot Actuator
Spring Boot Actuator v2
Spring Boot Misconfiguration: Actuator endpoint security disabled
Spring Boot Misconfiguration: Admin MBean enabled
Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
Spring Boot Misconfiguration: Developer tools enabled on production
Spring Boot Misconfiguration: H2 console enabled
Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
Spring Boot Misconfiguration: Overly long session timeout
Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed
Spring Boot Misconfiguration: Unsafe value for session tracking
Spring Misconfiguration: HTML Escaping disabled
SSL 2.0 deprecated protocol
SSL 3.0 deprecated protocol
Struts 2 Config Browser plugin enabled
Struts 2 development mode
Struts 2 development mode enabled
Subresource Integrity (SRI) not implemented
Symfony debug mode enabled (AcuSensor)
Symfony ESI (Edge-Side Includes) enabled
Symfony running in dev mode
Symfony web debug toolbar
The DROWN attack (SSLv2 supported) CVE-2016-0800
The FREAK attack CVE-2015-0204
The Heartbleed Bug CVE-2014-0160
The POODLE attack (SSLv3 with CBC cipher suites) CVE-2014-3566
TLS/SSL certificate about to expire
TLS/SSL certificate invalid date
TLS/SSL certificate key size too small
TLS/SSL LOGJAM attack CVE-2015-4000
TLS/SSL Sweet32 attack CVE-2016-2183 CVE-2016-6329
TLS/SSL Weak Cipher Suites
TLS 1.0 enabled
TLS 1.1 enabled
Tomcat status page
Tornado debug mode
Tornado weak secret key
TRACE method is enabled
TRACK method is enabled
Unicode transformation issues
Unprotected phpMyAdmin interface
Unsafe value for session tracking in in servlet configuration
Verb tampering via misconfigured security constraint
Vulnerable project dependencies
W3 total cache debug mode
Weak password
Weak WordPress security key
Web2py weak secret key
Webalizer script
Web application default/weak credentials
Web Application Firewall detected
Web Cache Deception
Web Cache Poisoning
Web Cache Poisoning via Fat GET Request
Web Cache Poisoning via Host Header
Web Cache Poisoning via JSONP and UTM_ parameter
Web Cache Poisoning via POST Request
Web Cache Poisoning via semicolon query separator
WebDAV directory listing
WebDAV Directory with write permissions
WebDAV enabled
WebDAV remote code execution
WebLogic admin console weak credentials
Webmail weak password
Web server default welcome page
WordPress admin accessible without HTTP authentication
WordPress allows editing theme/plugin files
WordPress configuration file weak file permissions
WordPress default administrator account
WordPress readme.html file
WordPress user registration enabled
Xdebug remote code execution via xdebug.remote_connect_back
XML entity injection
XML external entity injection
XML external entity injection (variant)
XML external entity injection and XML injection
XML external entity injection via external file
XML external entity injection via File Upload
Yii2 debug toolkit
Yii2 Gii extension
Yii2 weak secret key
Yii debug mode enabled
Yii running in dev mode