Vulnerability Types

A code injection technique that exploits vulnerabilities in an application's software by inserting malicious SQL statements into an entry field for execution.

A vulnerability that allows attackers to inject malicious scripts into webpages viewed by other users. These scripts can steal cookies, session tokens, or other sensitive information.

An attack that involves injecting malicious inputs into prompts, often targeting AI and natural language processing systems to manipulate or exploit the intended behavior.

A vulnerability where a program writes more data to a buffer than it can hold, causing data to overflow into adjacent memory, potentially allowing attackers to execute arbitrary code.

An attack that tricks a user into performing actions on a web application without their knowledge, by exploiting the user's authenticated session.

A vulnerability that allows attackers to compromise passwords, keys, or session tokens, or exploit other flaws to assume other users' identities.

A vulnerability where an application provides direct access to objects based on user-supplied input, leading to unauthorized access if not properly controlled.

A vulnerability arising from improperly configured security settings, leaving the application or infrastructure open to various attacks.

A vulnerability where sensitive data such as passwords, credit card numbers, or personal information is not properly protected, leading to potential leaks.

A vulnerability where an application redirects or forwards users to other pages and websites without proper validation, potentially leading to phishing attacks.

A vulnerability that allows attackers to execute arbitrary code on a remote machine, often leading to full system compromise.

An attack that exploits vulnerabilities in file system access controls by manipulating file paths to access files and directories outside the intended directory.

Vulnerabilities that are exploited before the software vendor has released a patch or become aware of the flaw, leaving systems defenseless.

An attack where the attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.

An attack that aims to make a system or network resource unavailable to its intended users by overwhelming it with a flood of illegitimate requests.

A DoS attack executed from multiple computers or devices distributed across various locations, making it more difficult to stop.

A technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information or taking control of their computer.

A vulnerability that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, potentially leading to data exfiltration, denial of service, or other attacks.

An attack where an attacker tricks a web application into including files on the web server, potentially allowing the attacker to execute arbitrary code.

Similar to LFI, but the attacker can include files from a remote server, often leading to remote code execution or data theft.