Now testing for the following vulnerabilities

Back to all posts

new tests

January 23, 2026

Now testing for the following vulnerabilities

New tests built and released by Alfred, our AI Security Researcher:

Haven't met Alfred yet? You can read more about how we're using AI to discover, source, and build tests for CVEs here.

CVE-2025-58179: Astro Cloudflare Adapter Server-Side Request Forgery [6.9 / Medium]
CVE-2025-37164: HPE OneView Remote Code Execution [9.3 / Critical]
CVE-2021-32682: elFinder Archive Command Injection [6.9 / Medium]
CVE-2011-5108: AdaptCMS 2.0 SQL Injection [6.3 / Medium]
CVE-2009-2022: FipsCMS Light 2.1 "db.mdb" Remote Database Disclosure [6.9 / Medium]
CVE-2008-6382: ASPPortal 3.2.5 Database Disclosure [6.9 / Medium]
CVE-2008-6147: ForumApp 3.3 Remote Database Disclosure [6.9 / Medium]
CVE-2008-5981: PacPoll 4.0 Database Disclosure [6.9 / Medium]

New tests released based on submissions by our Detectify Crowdsource hackers:

CVE-2026-21445: Langflow API Endpoints Broken Access Control [9.3 / Critical]
CVE-2025-58044: Jumpserver Open Redirect [6.9 / Medium]
CVE-2024-43441: Apache HugeGraph Server Authentication Bypass [9.3 / Critical]
CVE-2024-33113: D-Link DIR-845L "bsc_sms_inbox.php" Information Disclosure [8.7 / High]
CVE-2024-23334: Aiohttp Directory Traversal [8.7 / High]
Firebase Debug Logs Exposure [6.9 / Medium]
Helpjuice Reflected XSS [6.3 / Medium]
TurnKey LAMP Webmin Exposure [0.0 / Information]

New tests released by Detectify staff:

CVE-2025-6980: Arista NGFW Captive Portal Information Disclosure [6.9 / Medium]
CVE-2025-14847: Potential MongoDB "OP_COMPRESSED" Heap Memory Leak (MongoBleed) [0.0 / Information]
CVE-2024-53677: Apache Struts Remote Code Execution [9.3 / Critical]
CVE-2024-5230: FleetCart 4.1.1 Information Disclosure [6.9 / Medium]
CVE-2019-1898: Cisco RV110W RV130W RV215W Routers Information Disclosure [6.9 / Medium]
CVE-2019-16057: D-Link DNS-320 ShareCenter Remote Code Execution [9.3 / Critical]
Common Paths SSRF [7.8 / High]
File Upload Manager Exposure [6.9 / Medium]
GCP Cloud Endpoints Exposure [0.0 / Information]
Hasura Database Dump (Potential) [2.7 / Low]
IBM Decision Center Business Console Default Credentials [8.6 / High]
IBM Decision Center Enterprise Console Default Credentials [8.6 / High]
IBM Decision Server Console Default Credentials [8.6 / High]
IBM Hardware Managment Console Default Credentials [7.9 / High]
Netlify CRLF Injection [2.7 / Low]

Tests now running in both Application Scanning and Surface Monitoring, previously only in Application Scanning:

CVE-2021-44228: Graylog Remote Code Execution [10.0 / Critical]
CVE-2021-3129: Laravel Ignition Remote Code Execution [9.3 / Critical]
CVE-2020-8813: Cacti "graph_realtime.php" Remote Code Execution [9.2 / Critical]
CVE-2020-10770: Keycloak 12.0.1 "request_uri" Blind Server-Side Request Forgery [6.9 / Medium]
CVE-2019-6340: Drupal REST Remote Code Execution [9.2 / Critical]
CVE-2019-1003029: Jenkins Script Security Plugin Remote Code Execution [9.4 / Critical]
CVE-2018-8947: Laravel Log Viewer Local File Disclosure [8.8 / High]
CVE-2018-7600: Drupal Core Forms API Remote Code Execution [9.3 / Critical]
CVE-2018-7318: Joomla! com_checklist SQL Injection [9.3 / Critical]
CVE-2018-7315: Joomla com_ekrishta SQL Injection [9.3 / Critical]
CVE-2018-7312: Joomla Alexandria Book Library com_abook "letter" SQL Injection [9.3 / Critical]
CVE-2018-3604: Trend Micro Control Manager sCloudService Remote Code Execution [8.7 / High]
CVE-2018-2699: Oracle Application Express Flash XSS [6.3 / Medium]
CVE-2018-20555: WordPress Social-Network-Tabs Secret Disclosure [6.9 / Medium]
CVE-2018-19972: Enghouse Trio Enterprise Command Injection [9.3 / Critical]
CVE-2018-17254: Joomla! JCK Editor SQL Injection [9.3 / Critical]
CVE-2018-1673: IBM WebSphere Portal Reflected XSS [6.3 / Medium]
CVE-2018-15531: JavaMelody XML External Entity (XXE) Processing [9.3 / Critical]
CVE-2018-14912: cgit Directory Traversal [8.7 / High]
CVE-2018-1271: Spring MVC Framework Local File Inclusion [8.2 / High]
CVE-2018-12596: Ektron CMS 9.20 SP2 Authentication Bypass [9.3 / Critical]
CVE-2018-10068: Joomla jDownloads Flash XSS [5.3 / Medium]
CVE-2018-1000861: Jenkins Groovy Remote Code Execution [9.3 / Critical]
CVE-2018-1000130: Jolokia Agent JNDI Code Injection [9.2 / Critical]
CVE-2018-0296: Cisco ASA Directory Traversal [8.7 / High]
CVE-2017-18638: Graphite Server-Side Request Forgery [8.7 / High]
CVE-2017-17762: Episerver 7 Blog Module XML External Entity Injection [8.7 / High]
CVE-2017-12629: Apache Solr Remote Code Execution [9.3 / Critical]
CVE-2017-12149: JBoss Deserialization Remote Code Execution [0.0 / Information]
CVE-2015-2080: Eclipse Jetty JetLeak Information Disclosure [8.7 / High]
CVE-2015-1164: Node.js serve-static (<1.7.2) Open Redirect [6.9 / Medium]
CVE-2015-0931: Ektron CMS XSLT Parser Remote Code Execution [6.3 / Medium]
CVE-2013-6837: jQuery PrettyPhoto DOM Cross-Site Scripting [5.1 / Medium]
CVE-2013-1971: Drupal MP3 Player Module Reflected XSS [5.3 / Medium]
CVE-2013-1966: Apache Struts "includeParams" Remote Code Execution [9.2 / Critical]
CVE-2011-4969: jQuery "location.hash" DOM XSS [6.3 / Medium]
CVE-2010-2861: Adobe ColdFusion Server Path Traversal [8.7 / High]
ACME / Let's Encrypt Internet Explorer Reflected XSS [7.0 / High]
ACME / Let's Encrypt Reflected XSS [7.8 / High]
ACME Challenge Open Redirect Allowing Certificate Issuance [8.7 / High]
ASP-Nuke Open Redirect [6.9 / Medium]
ASP.NET Cookieless Session Referer Leakage [7.7 / High]
Adobe ColdFusion Source Code Disclosure [6.9 / Medium]
Adobe ColdFusion Stack Trace Disclosure [6.9 / Medium]
Adobe Dreamweaver dwsync.xml Information Disclosure [6.9 / Medium]
Apache Axis2 Happiness Page Exposure [6.9 / Medium]
Apache CouchDB Exposure [2.7 / Low]
Apache CouchDB Fauxton Exposure [2.7 / Low]
Apache Drill Exposure [6.9 / Medium]
Apache Struts Debug Mode OGNL Injection [9.2 / Critical]
Apache Tomcat Documentation Exposure [0.0 / Information]
Apache Tomcat JSP Examples Exposure [0.0 / Information]
Apache Tomcat Servlet Examples Exposure [0.0 / Information]
Atlassian Confluence App "EasyMind" XXE [9.3 / Critical]
Atlassian Confluence Dashboard XSS [6.3 / Medium]
Atlassian Confluence mugshot-gallery Macro Username Enumeration [6.9 / Medium]
Bash History Exposure [6.9 / Medium]
Bitrix Log File Disclosure [6.9 / Medium]
Blocked by Fortinet IPS [0.0 / Information]
Blocked by Microsoft Forefront TMG [0.0 / Information]
Blocked by Microsoft UrlScan [0.0 / Information]
Blocked by NinjaFirewall [0.0 / Information]
Blocked by THC-Servers Firewall [0.0 / Information]
Blocked by Wordfence WAF/IPS [0.0 / Information]
Bower Configuration File Exposure [2.7 / Low]
CGI testcgi.exe XSS [6.3 / Medium]
CKfinder 3 File Browser Disclosure [6.9 / Medium]
CVS Entries Exposure [6.9 / Medium]
Citrix XenMobile XXE [6.9 / Medium]
Cockpit SSRF [6.9 / Medium]
Composr CMS Plupload Flash XSS [0.0 / Information]
ConcertoPro Webshop XSS [5.3 / Medium]
Content-Security-Policy Bypass via AdRoll [0.5 / Low]
Content-Security-Policy Bypass via Google Accounts [0.5 / Low]
Content-Security-Policy Bypass via Google Ads [0.5 / Low]
Content-Security-Policy Bypass via Google Analytics [0.5 / Low]
Content-Security-Policy Bypass via Mixpanel [0.5 / Low]
Core Dump Checker Exposure [6.9 / Medium]
CruiseControl CI Open Access [6.9 / Medium]
DistansData E-Commerce SQL Injection [9.3 / Critical]
Django Admin Panel Exposure [6.9 / Medium]
Drupal Open Redirect [6.1 / Medium]
Drupal Username Enumeration via Autocomplete [6.9 / Medium]
Drupal print Module RCE [9.3 / Critical]
Easy Gateway RCE [9.3 / Critical]
EdgeCast CDN Flash XSS [0.0 / Information]
Ektron CMS Blogs XXE [9.2 / Critical]
Ektron CMS Database Disclosure [6.9 / Medium]
Ektron CMS SearchService XXE [9.2 / Critical]
Environment Variable Disclosure [6.9 / Medium]
Environment Variables Disclosure [6.9 / Medium]
Episerver Logout CSRF [4.8 / Medium]
FileMaker WebDirect Exposure [7.7 / High]
FinalBuilder Stack Trace Disclosure [6.9 / Medium]
Flash Cross-Domain Policy Unrestricted Access [0.0 / Information]
Flash Cross-Domain Policy Wildcard Access [0.0 / Information]
Ganglia Open Redirect [5.1 / Medium]
Git HEAD File Exposure [2.4 / Low]
Git Ignore File Exposure [2.4 / Low]
GitHub Button DOM XSS [5.1 / Medium]
Golang Godeps.json Disclosure [6.9 / Medium]
HashiCorp Consul Exposure [7.9 / High]
HubSpot Full Path Disclosure [6.9 / Medium]
HubSpot Open Redirect [5.3 / Medium]
Hyperseek Reflected XSS [6.3 / Medium]
IBM WebSphere Path Traversal & Source Code Disclosure [8.7 / High]
Indico Information Exposure [6.9 / Medium]
InterMapper Network Topography Exposure [6.9 / Medium]
JBoss Console [0.0 / Information]
Jaeger UI Exposure [6.9 / Medium]
Jamf Server-Side Request Forgery [8.7 / High]
Java Exception Stack Trace Disclosure [6.9 / Medium]
Java Information Exposure [6.9 / Medium]
Java Source Code Disclosure [6.9 / Medium]
JetBrains IntelliJ DataSources Configuration Exposure [6.9 / Medium]
JobPortals Reflected XSS [5.1 / Medium]
Joomla! com_advertisementboard SQL Injection [9.3 / Critical]
Joomla! com_ekrishta SQL Injection [9.3 / Critical]
Joomla! com_extrasearch SQL Injection [9.3 / Critical]
Joomla! com_filecabinet SQL Injection [9.3 / Critical]
Joomla! com_frontpage SQL Injection [9.3 / Critical]
Joomla! com_jcart SQL Injection [9.3 / Critical]
Joomla! com_jdownloads SQL Injection [9.3 / Critical]
Joomla! jcruiseportal SQL Injection [9.3 / Critical]
Kubernetes Console Exposure [6.9 / Medium]
Less History File Exposure [6.9 / Medium]
Microsoft Thumbs.db Exposure [6.9 / Medium]
Microsoft Windows Server 2003 End of Life [4.8 / Medium]
OPcache Status Exposure [6.9 / Medium]
Oracle Forms XSS [6.3 / Medium]
Robots Exclusion Policy (robots.txt) [0.0 / Information]
SAP B2B / B2C CRM Local File Inclusion [6.9 / Medium]
Security Contact Policy (security.txt) [0.0 / Information]
Selenium Grid Console Exposure [6.9 / Medium]
Silverlight Client Access Policy Unrestricted Access [0.0 / Information]
Silverlight Client Access Policy Wildcard Access [0.0 / Information]
SnoopServlet Exposure [6.9 / Medium]
Tor Hidden Service Hostname Exposure [6.9 / Medium]
Tor Hidden Service Private Key Exposure [8.7 / High]
Traefik TLS Private Key Disclosure [8.7 / High]
Unauthenticated Apache Solr Admin API [9.3 / Critical]
WGET HSTS List Exposure [6.9 / Medium]
WS-FTP Log-File Exposure [6.9 / Medium]
Web App Manifest [0.0 / Information]
Web Credits File (humans.txt) [0.0 / Information]
WordPress Plugin "Multi Device Switcher" (multi-device-switcher) Open Redirect [5.1 / Medium]
WordPress Plugin "Newsletter / Send awesome emails from WordPress" (newsletter) Log Disclosure [0.0 / Information]
WordPress Plugin "Shortcode Generator" (shortcode-generator) Arbitrary PHP Code Execution [9.3 / Critical]
WordPress Plugin "Translate WordPress with GTranslate" (gtranslate) Open Redirect [5.1 / Medium]
WordPress Plugin "Video Gallery" (video gallery) SQL Injection [0.0 / Information]
WordPress Plugin "WP Hide & Security Enhancer" (wp-hide-security-enhancer) Information Exposure [0.0 / Information]
WordPress Plugin "Wordfence Security / Firewall, Malware Scan, and Login Security" (wordfence) Configuration File Disclosure (.user.ini) [6.9 / Medium]
WordPress Theme functions.php Full Path Disclosure [6.9 / Medium]
WordPress wpml SQL Injection [9.3 / Critical]
eXist-DB eXide Editor Exposure [6.9 / Medium]
eZ Publish / eZ Find Spell Checker Reflected XSS [5.1 / Medium]
httpbin Reflected XSS [6.9 / Medium]
jQuery 3rd Party CORS Request Execution [2.1 / Low]
jQuery Migrate Selector Degradation [2.1 / Low]
jQuery Migrate Selector Injection [2.1 / Low]
jQuery Migrate XSS [5.1 / Medium]
jQuery Mobile DOM XSS (Unpatched) [5.1 / Medium]
jQuery Mobile DOM XSS [5.1 / Medium]
jQuery Selector Injection [2.1 / Low]
jQuery prettyPhoto Selector Injection [5.1 / Medium]
jQuery prettyPhoto XSS [5.1 / Medium]
jQuery-File-Upload File Disclosure [6.9 / Medium]
myDBR Cross-Site Scripting [7.8 / High]

Improved security tests:

CVE-2025-53833: LaRecipe Remote Code Execution [8.9 / High]
CVE-2025-48954: Discourse OAuth Social Login Cross-Site Scripting [5.5 / Medium]
CVE-2025-44137: MapTiler Tileserver-php Path Traversal [8.7 / High]
CVE-2025-31137: Remix/React Router Express Adapter Cache Poisoning [8.7 / High]
CVE-2025-30220: GeoServer WFS XXE [9.3 / Critical]
CVE-2024-49357: ZimaOS Sensitive Information Disclosure [6.9 / Medium]
CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform Authentication Bypass [9.3 / Critical]
CVE-2024-38819: Spring Path traversal vulnerability in functional web frameworks [8.7 / High]
CVE-2024-38816: Spring "WebMvc.fn/WebFlux.fn" Path Traversal [8.7 / High]
CVE-2024-32870: Combodo iTop Hub Connector Information Disclosure [7.7 / High]
CVE-2024-22319: IBM Operational Decision Manager Remote Code Execution [9.3 / Critical]
CVE-2024-21644: PyLoad "Flask Config" Access Control [8.7 / High]
CVE-2024-1208: WordPress Plugin "LearnDash LMS" Sensitive Information Exposure [6.9 / Medium]
CVE-2024-0672: WordPress Plugin "Pz-LinkCard" (pz-linkcard) < 2.5.3 Reflected XSS in Link Preview Parameters [2.1 / Low]
CVE-2023-35159: XWiki ">=3.4-milestone-1" Cross-Site Scripting [6.3 / Medium]
CVE-2023-20887: VMware Aria Operations For Networks Remote Code Execution [9.3 / Critical]
CVE-2022-24990: TerraMaster TOS Remote Code Execution [8.7 / High]
CVE-2022-22536: SAP Multiple Products Content Server HTTP Request Smuggling [9.3 / Critical]
CVE-2021-44228: Apache Log4j2 Remote Code Execution [10.0 / Critical]
CVE-2021-42567: Apereo CAS REST API XSS [6.3 / Medium]
CVE-2021-33766: Microsoft Exchange Server Authentication Bypass [8.7 / High]
CVE-2021-24891: WordPress Plugin "Elementor Website Builder / More Than Just a Page Builder" (elementor) < 3.1.4 DOM Cross-Site Scripting [7.1 / High]
CVE-2021-24839: WordPress Plugin "SupportCandy / Helpdesk & Customer Support Ticket System" (supportcandy) Insufficient Authorization Allows Arbitrary Ticket Deletion [8.7 / High]
CVE-2021-22942: Open Redirect in RubyGems Action Pack [6.1 / Medium]
CVE-2021-20660: SolarView Compact XSS [5.1 / Medium]
CVE-2020-9039: Couchbase Server Unauthenticated Projector and Indexer REST endpoints [9.3 / Critical]
CVE-2020-8209: Citrix XenMobile Server Local File Inclusion [8.7 / High]
CVE-2020-28724: Werkzeug Open Redirect [5.1 / Medium]
CVE-2019-7238: Sonatype Nexus Repository Manager Remote Code Execution [9.3 / Critical]
CVE-2019-17557: Apache Syncope XSS [7.8 / High]
CVE-2019-12314: Deltek Maconomy Local File Inclusion [9.2 / Critical]
CVE-2019-0232: Apache Tomcat CGIServlet Remote Code Execution [9.3 / Critical]
CVE-2019-0232: Apache Tomcat "CGIServlet" Remote Code Execution [9.3 / Critical]
CVE-2018-5006: Adobe AEM SalesforceSecretServlet SSRF [7.8 / High]
CVE-2018-18778: ACME mini_httpd Local File Inclusion [8.7 / High]
CVE-2018-17184: Apache Syncope XSS [6.2 / Medium]
CVE-2017-9248: Progress Telerik UI For ASP.NET AJAX And Sitefinity Credentials Disclosure [9.3 / Critical]
CVE-2017-5614: cPanel Open Redirect [6.9 / Medium]
CVE-2015-4153: WordPress "zM Ajax Login & Register" Local File Inclusion [6.9 / Medium]
CVE-2012-2917: WordPress Plugin Share And Follow "admin.php" Reflected XSS [6.3 / Medium]
CVE-2011-5194: WordPress Whois Plugin Reflected XSS [6.9 / Medium]
CVE-2011-4367: Apache MyFaces "ln" Directory Traversal [5.1 / Medium]
CVE-2009-4978: MyBackup 1.4.0 Remote File Inclusion [6.9 / Medium]
CVE-2009-0545: ZeroShell Remote Code Execution [9.3 / Critical]
CVE-2008-5929: VP-ASP Shopping Cart 6.50 Database Disclosure [6.9 / Medium]
CVE-2008-5886: Discussion Web 4 Remote Database Disclosure [6.9 / Medium]
CVE-2006-5512: INCA IM-204 And Zwahlen's Online Shop 5.2.2 "Cat" Cross-Site Scripting [6.3 / Medium]
Adobe ColdFusion Debug Page XSS [5.1 / Medium]
Apache Maven Config Disclosure [6.9 / Medium]
Apache NiFi Unauthenticated Access [2.7 / Low]
Apache Syncope Default Credentials [6.9 / Medium]
Apereo CAS XSS [6.3 / Medium]
Directory Listing [2.7 / Low]
Drupal User Enumeration [6.9 / Medium]
Hasura Database Dump [9.2 / Critical]
Laravel Debug Bar Enabled [6.9 / Medium]
Laravel Debug Bar Open Endpoint Exposed [6.9 / Medium]
Selenium Grid Console Exposure [6.9 / Medium]
Spring Application-Context Exposure [4.6 / Medium]
Spring Boot "X-Application-Context"-Header Exposure [2.7 / Low]
Spring Boot Actuator / Auto-Configuration Route [6.9 / Medium]
Spring Boot Actuator / Beans Route [6.9 / Medium]
Spring Boot Actuator / Caches Route [6.9 / Medium]
Spring Boot Actuator / Conditions [6.9 / Medium]
Spring Boot Actuator / Configuration Properties [6.9 / Medium]
Spring Boot Actuator / Environment Route [8.7 / High]
Spring Boot Actuator / Features [6.9 / Medium]
Spring Boot Actuator / Flyway Route [6.9 / Medium]
Spring Boot Actuator / Gateway [6.9 / Medium]
Spring Boot Actuator / HTTP Exchanges [6.9 / Medium]
Spring Boot Actuator / Health Route [6.9 / Medium]
Spring Boot Actuator / Heap Dump [6.9 / Medium]
Spring Boot Actuator / Info Route [6.9 / Medium]
Spring Boot Actuator / Integration Graph [6.9 / Medium]
Spring Boot Actuator / Liquibase Route [6.9 / Medium]
Spring Boot Actuator / Logfile Route [6.9 / Medium]
Spring Boot Actuator / Loggers Route [6.9 / Medium]
Spring Boot Actuator / Mappings Route [6.9 / Medium]
Spring Boot Actuator / Metrics Route [6.9 / Medium]
Spring Boot Actuator / Quartz [6.9 / Medium]
Spring Boot Actuator / Scheduled Tasks Route [6.9 / Medium]
Spring Boot Actuator / Startup [6.9 / Medium]
Spring Boot Actuator / Status [6.9 / Medium]
Spring Boot Actuator / Thread Dump Route [6.9 / Medium]
Spring Boot Actuator / Trace Route [6.9 / Medium]
Spring Boot Admin Exposure [7.3 / High]
Spring Boot Log4Shell (log4j) RCE [10.0 / Critical]
Traefik Insecure API Exposure [6.9 / Medium]

View your vulnerabilities

Thanks for your feedback

What's new at Detectify

The latest product updates, improvements, and new tests.

Now testing for the following vulnerabilities