StackHawk Documentation StackHawk Logo HawkDocs
vulnerabilities

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc

Vulnerability Index

The StackHawk Vulnerability Index is your resource for a clear and accessible overview of the HawkScan security tests. Our tests provide developer-friendly explanations and actionable guidance, including code examples to help you quickly address vulnerabilities.

Type
Criticality
of vulnerabilities
ID Name Type Criticality CWE
0 Directory Browsing Active Medium CWE-548
100000 A Server Error response code was returned by the server Passive Medium
100001 Unexpected Content-Type was returned Passive Medium
100008 Information Leak - Credit Card Number Passive High CWE-311
100009 Information Leak - Email Address Passive Low CWE-311
100012 Information Leak - IBAN Passive Low CWE-200
10009 In Page Banner Information Leak Passive CWE-200
10010 Cookie No HttpOnly Flag Passive CWE-1004
10011 Cookie Without Secure Flag Passive CWE-614
10015 Incomplete or No Cache-control and Pragma HTTP Header Set Passive CWE-525
10016 Web Browser XSS Protection Not Enabled Passive Medium
10017 Cross-Domain JavaScript Source File Inclusion Passive CWE-829
10019 Content-Type Header Missing Passive CWE-345
10020 X-Frame-Options Header Not Set Passive CWE-1021
10021 X-Content-Type-Options Header Missing Passive CWE-693
10023 Information Disclosure - Debug Error Messages Passive CWE-200
10024 Information Disclosure - Sensitive Information in URL Passive
10025 Information Disclosure - Sensitive Information in HTTP Referrer Header Passive CWE-200
10026 HTTP Parameter Override Passive CWE-20
10027 Information Disclosure - Suspicious Comments Passive
10028 Open Redirect Passive CWE-601
10029 Cookie Poisoning Passive CWE-565
10030 User Controllable Charset Passive CWE-20
10031 User Controllable HTML Element Attribute (Potential XSS) Passive CWE-20
10032 Viewstate without MAC Signature (Unsure) Passive
10033 Directory Browsing - Apache 2 Passive CWE-548
10034 Heartbleed OpenSSL Vulnerability (Indicative) Passive CWE-119
10035 Strict-Transport-Security Header Not Set Passive CWE-319
10036 Server Leaks Version Information via "Server" HTTP Response Header Field Passive CWE-200
10037 Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Passive CWE-200
10038 Content Security Policy (CSP) Header Not Set Passive CWE-693
10039 X-Backend-Server Header Information Leak Passive CWE-200
10040 Secure Pages Include Mixed Content (Including Scripts) Passive CWE-311
10041 HTTP to HTTPS Insecure Transition in Form Post Passive CWE-319
10042 HTTPS to HTTP Insecure Transition in Form Post Passive CWE-319
10043 User Controllable JavaScript Event (XSS) Passive CWE-20
10044 Big Redirect Detected (Potential Sensitive Information Leak) Passive CWE-201
10045 Source Code Disclosure - /WEB-INF folder Active High CWE-541
10047 HTTPS Content Available via HTTP Active Low CWE-311
10048 Remote Code Execution - Shell Shock Active High CWE-78
10049 Content Cacheability Passive CWE-524
10050 Retrieved from Cache Passive CWE-524
10051 Relative Path Confusion Active Medium CWE-20
10052 X-ChromeLogger-Data (XCOLD) Header Information Leak Passive CWE-200
10053 Apache Range Header DoS (CVE-2011-3192) Passive Medium
10054 Cookie Without SameSite Attribute Passive CWE-1275
10055 CSP Scanner: Wildcard Directive Passive CWE-693
10056 X-Debug-Token Information Leak Passive CWE-200
10057 Username Hash Found Passive CWE-284
10061 X-AspNet-Version Response Header Scanner Passive CWE-933
10062 PII Disclosure Passive CWE-359
10063 Permissions Policy Header Not Set Passive CWE-693
10094 Base64 Disclosure Passive CWE-200
10095 Backup File Disclosure Active Medium CWE-530
10096 Timestamp Disclosure - Unix Passive CWE-200
10097 Hash Disclosure - Mac OSX salted SHA-1 Passive CWE-200
10098 Cross-Domain Misconfiguration Passive CWE-264
10099 Source Code Disclosure - SQL Passive CWE-540
10105 Weak Authentication Method Passive CWE-326
10106 HTTP Only Site Active Medium CWE-311
10107 Httpoxy - Proxy Header Misuse Active High CWE-20
10108 Reverse Tabnabbing Passive CWE-1022
10109 Modern Web Application Passive CWE-0
10110 Dangerous JS Functions Passive
10202 Absence of Anti-CSRF Tokens Passive
2 Private IP Disclosure Passive CWE-200
20012 Anti CSRF Tokens Scanner Active Medium CWE-352
20015 Heartbleed OpenSSL Vulnerability Active High CWE-119
20016 Cross-Domain Misconfiguration - Adobe - Send Active High CWE-264
20017 Source Code Disclosure - CVE-2012-1823 Active High CWE-20
20018 Remote Code Execution - CVE-2012-1823 Active High CWE-20
20019 External Redirect Active High
3 Referer Exposes Session ID Passive CWE-200
30001 Buffer Overflow Active Medium CWE-120
30002 Format String Error Active Medium CWE-134
30003 Integer Overflow Error Active Medium CWE-190
40003 CRLF Injection Active Medium CWE-113
40008 Parameter Tampering Active Medium CWE-472
40009 Server Side Include Active High CWE-97
40012 Cross Site Scripting (Reflected) Active High CWE-79
40013 Session ID Expiry Time/Max-Age is Excessive Active High CWE-384
40014 Cross Site Scripting Weakness (Persistent in JSON Response) Active High CWE-79
40015 LDAP Injection Active High CWE-90
40018 SQL Injection Active High CWE-89
40019 SQL Injection - MySQL Active High CWE-89
40020 SQL Injection - Hypersonic SQL - Time Based Active High CWE-89
40021 SQL Injection - Oracle - Time Based Active High CWE-89
40022 SQL Injection - PostgreSQL - Time Based Active High CWE-89
40024 SQL Injection - SQLite Active High CWE-89
40025 Proxy Disclosure Active Medium CWE-200
40026 Cross Site Scripting (DOM Based) Active High CWE-79
40027 SQL Injection - MsSQL Active High CWE-89
40028 ELMAH Information Leak Active Medium CWE-94
40029 Trace.axd Information Leak Active Medium CWE-215
40031 Out of Band XSS Active High CWE-79
40032 .htaccess Information Leak Active Medium CWE-94
40033 NoSQL Injection - MongoDB Active High CWE-943
40034 .env Information Leak Active Medium CWE-215
40035 Hidden File Found Active Medium CWE-538
40038 Bypassing 403 Active Medium CWE-0
40039 Web Cache Deception Active Medium CWE-0
40040 CORS Misconfiguration Active Medium CWE-942
40042 Spring Actuator Information Leak Active Medium CWE-215
40043 Log4Shell (CVE-2021-44228) Active High CWE-117
40044 Exponential Entity Expansion (Billion Laughs Attack) Active Medium CWE-776
40045 Spring4Shell Active High CWE-78
40046 Server Side Request Forgery Active High CWE-918
40049 LLM Injection Active High CWE-943
40050 API Broken Authorization Active High CWE-285
40051 API Broken Function Level Authorization Active High CWE-285
40052 API Lack of Rate Limiting Active Medium CWE-770
40053 API Broken Authentication Active High CWE-287
40054 API Broken Object Property Level Authorization Active High CWE-639
40055 API Enhanced Broken Object Level Authorization Active High CWE-639
40056 API Active IDOR Validation Active High CWE-639
40057 API Unrestricted Resource Consumption Active Medium CWE-770
40058 React2Shell Remote Code Execution (CVE-2025-55182) Active High CWE-502
40099 GraphQL Circular Reference Active High CWE-400
40100 GraphQL Deep Recursion Query Attack Active High CWE-400
40101 GraphQL Interface Exploit Active High CWE-863
41 Source Code Disclosure - Git Active High CWE-541
42 Source Code Disclosure - SVN Active Medium CWE-541
421001 Possible Insecure Direct Object References (IDOR) Passive High CWE-639
421004 Potential Broken Object Property Level Authorization (BOPLA) Passive High CWE-213
422000 Improper Access Active High CWE-0
422001 Possible Broken Object-Level Authorization (BOLA) Passive High CWE-639
422002 Tenancy Check Active High CWE-0
422003 Possible Broken Function Level Authorization Active High CWE-0
43 Source Code Disclosure - File Inclusion Active High CWE-541
500001 Weak Cipher Detection Passive High CWE-326
50001 Email address found Passive CWE-0
6 Path Traversal Active High CWE-22
7 Remote File Inclusion Active High CWE-98
90001 Insecure JSF ViewState Passive CWE-642
90002 Java Serialization Object Passive
90003 Sub Resource Integrity Attribute Missing Passive CWE-345
90004 Insufficient Site Isolation Against Spectre Vulnerability Passive
90011 Charset Mismatch Passive CWE-436
90017 XSLT Injection Active Medium CWE-91
90019 Server Side Code Injection - ASP Code Injection Active High CWE-94
90020 Remote OS Command Injection Active High CWE-78
90021 XPath Injection Active High CWE-643
90022 Application Error Disclosure Passive CWE-200
90023 XML External Entity Attack Active High CWE-611
90024 Generic Padding Oracle Active High
90025 Expression Language Injection Active High CWE-917
90026 SOAP Action Spoofing Active High CWE-0
90028 Insecure HTTP Method Active Medium CWE-200
90029 SOAP XML Injection Active High
90030 WSDL File Discovery Passive CWE-0
90033 Loosely Scoped Cookie Passive CWE-565
90034 Cloud Metadata Potentially Exposed Active High
90035 Server Side Template Injection Active High CWE-94
90036 Server Side Template Injection (Blind) Active High CWE-74
90037 Remote OS Command Injection - Timing Based Active High CWE-78
90050 GraphQL Introspection Endpoint Enabled Passive Low CWE-200
90051 GraphQL Endpoint Detected Passive Low CWE-200
90052 GraphQL Batch Query Supported Active High CWE-0
90053 GraphQL Deep Recursion Query Attack Active High CWE-400
90054 GraphQL Introspection Exploit Active Medium CWE-200
90055 GraphQL Field Suggestions Exploit Active Low CWE-400
90056 GraphQL Interface Protection Bypass Active High CWE-639

No vulnerabilities match your search or filters.

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy