new tests
December 19, 2025
Now testing for the following vulnerabilities
New tests released based on submissions by our Detectify Crowdsource hackers:
- CVE-2025-64764: Astro "Server Islands" Reflected XSS [7.0 / High]
New tests released by Detectify staff:
- AGENTS.md AI Instructions Exposure [2.7 / Low]
- AI Tool Ignore Files Exposure [2.7 / Low]
- AIChat Configuration Exposure [6.6 / Medium]
- Aider Chat History Exposure [6.6 / Medium]
- Aider Configuration Exposure [6.6 / Medium]
- Amazon Q Developer Configuration Exposure [6.6 / Medium]
- Augment Code Rules Exposure [2.7 / Low]
- AutoGen Configuration Exposure [6.6 / Medium]
- Avante.nvim Rules Exposure [2.7 / Low]
- Bito AI Configuration Exposure [2.7 / Low]
- Bolt Configuration Exposure [2.7 / Low]
- ChainForge Flow Exposure [2.7 / Low]
- Claude Code Project Documentation Exposure [2.7 / Low]
- Claude Code Settings Exposure [2.7 / Low]
- Cline Rules Exposure [2.7 / Low]
- CodeRabbit Configuration Exposure [2.7 / Low]
- Cody Custom Commands Exposure [2.7 / Low]
- Continue Configuration Exposure [6.6 / Medium]
- Cursor IDE Configuration Exposure [2.7 / Low]
- DSPy Compiled Program Exposure [2.7 / Low]
- Ellipsis AI Configuration Exposure [2.7 / Low]
- Embedchain Configuration Exposure [6.6 / Medium]
- GitHub Copilot Hosts Exposure [6.6 / Medium]
- GitHub Copilot Instructions Exposure [2.7 / Low]
- Google IDX Configuration Exposure [2.7 / Low]
- Goose AI Secrets Exposure [6.6 / Medium]
- Goose Hints Exposure [2.7 / Low]
- Graphite Configuration Exposure [6.6 / Medium]
- Haystack Pipeline Exposure [6.6 / Medium]
- LMQL Configuration Exposure [6.6 / Medium]
- Langfuse Configuration Exposure [6.6 / Medium]
- LibreChat Configuration Exposure [6.6 / Medium]
- LiteLLM Configuration Exposure [6.6 / Medium]
- LocalAI Configuration Exposure [2.7 / Low]
- MCP Server Configuration Exposure [6.6 / Medium]
- Ollama Modelfile Exposure [2.7 / Low]
- OpenHands Configuration Exposure [6.6 / Medium]
- PrivateGPT Configuration Exposure [6.6 / Medium]
- PromptFoo Configuration Exposure [6.6 / Medium]
- Qodo Gen Configuration Exposure [2.7 / Low]
- Qodo PR-Agent Secrets Exposure [6.6 / Medium]
- Replit Configuration Exposure [2.7 / Low]
- Roo Code Rules Exposure [2.7 / Low]
- ShellGPT Configuration Exposure [6.6 / Medium]
- Sourcery Configuration Exposure [2.7 / Low]
- Tabby Configuration Exposure [6.6 / Medium]
- Tabnine MCP Configuration Exposure [6.6 / Medium]
- Trae AI IDE Configuration Exposure [6.6 / Medium]
- Windsurf Rules Exposure [2.7 / Low]
- Zed AI Configuration Exposure [6.6 / Medium]
- vLLM Configuration Exposure [6.6 / Medium]
- CVE-2017-16877: Next.js <2.4.1 Local File Inclusion [8.7 / High]
- Nagios Network Status Exposure [8.7 / High]
- CVE-2025-54597: Heimdall XSS [5.5 / Medium]
- CVE-2025-49132: Pterodactyl Panel Remote Code Execution [9.3 / Critical]
- CVE-2025-44148: MailEnable Mail Service Reflected XSS [6.9 / Medium]
- CVE-2025-32430: XWiki Platform Reflected XSS [5.1 / Medium]
- CVE-2025-31161: CrushFTP Authentication Bypass [9.3 / Critical]
- CVE-2025-28228: Electrolink FM/DAB/TV Transmitter Credentials Disclosure [8.7 / High]
- CVE-2025-27506: NocoDB XSS [5.1 / Medium]
- CVE-2025-24813: Apache Tomcat Remote Code Execution [9.3 / Critical]
- CVE-2025-10035: Fortra GoAnywhere MFT Deserialization [8.9 / High]
- CVE-2025-4210: Casdoor Authorization Bypass [5.5 / Medium]
- CVE-2025-4123: Grafana "Client Path Traversal" SSRF [7.0 / High]
- CVE-2025-2746: Kentico Xperience 13 CMS Authentication Bypass [9.3 / Critical]
- CVE-2025-2636: WordPress Plugin "InstaWP Connect / 1-click WP Staging & Migration" (instawp-connect) ... < 0.1.0.86 Unauthenticated Local File Inclusion [7.8 / High]
- CVE-2024-50967: Datagerry Access Control [8.7 / High]
- CVE-2024-50623: Cleo Multiple Products Unrestricted File Upload [9.3 / Critical]
- CVE-2024-32113: Apache OFBiz Remote Code Execution [9.3 / Critical]
- CVE-2024-31850: CData Arc Path Traversal [8.8 / High]
- CVE-2024-21887: Ivanti Connect Secure And Policy Secure Command Injection [9.4 / Critical]
- CVE-2024-21136: Oracle Retail Xstore Suite And Office Path Traversal [9.2 / Critical]
- CVE-2024-13126: WordPress Plugin "Download Manager" (download-manager) Unauthenticated Password Bypass via Directory Listing [6.9 / Medium]
- CVE-2024-3400: Palo Alto Networks PAN-OS Global Connect Remote Code Execution [10.0 / Critical]
- CVE-2023-51630: PRTG Network Monitor XSS [6.3 / Medium]
- CVE-2023-48022: Ray Agent Job Remote Code Execution [9.3 / Critical]
- CVE-2023-44150: WordPress "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content / ProfilePress" (wp-user-avatar) Sensitive Data Exposure in wp-user-avatar endpoint [6.9 / Medium]
- CVE-2023-39700: IceWarp Mail Server Cross-Site Scripting [6.3 / Medium]
- CVE-2023-39361: Cacti SQL Injection [9.3 / Critical]
- CVE-2023-33960: OpenProject Project Identifiers Exposure [2.7 / Low]
- CVE-2023-26360: Adobe ColdFusion Deserialization [9.2 / Critical]
- CVE-2023-24488: Citrix Gateway And Citrix ADC Reflected XSS [6.9 / Medium]
- CVE-2023-20198: Cisco IOS XE Web UI Remote Code Execution [9.3 / Critical]
- CVE-2023-6549: Citrix NetScaler ADC And Gateway Buffer Overflow [8.7 / High]
- CVE-2023-5244: Microweber < V2.0 XSS [2.1 / Low]
- CVE-2023-3765: MLflow Absolute Path Traversal [10.0 / Critical]
- CVE-2023-1434: Odoo Cross-Site Scripting [6.3 / Medium]
- CVE-2022-47966: ManageEngine ADSelfService Plus Remote Code Execution [10.0 / Critical]
- CVE-2022-35405: Zoho ManageEngine Password Manager Pro Remote Code Execution [9.3 / Critical]
- CVE-2022-31798: Nortek Linear eMerge E3-Series Cross-Site Scripting [6.3 / Medium]
- CVE-2022-26148: Grafana Zabbix Integration Credentials Disclosure [9.3 / Critical]
- CVE-2022-24288: Apache Airflow Remote Code Execution [8.7 / High]
- CVE-2022-2461: Transposh WordPress Authorization Bypass [6.9 / Medium]
- CVE-2021-45467: Control Web Panel Local File Inclusion [9.2 / Critical]
- CVE-2021-44228: MobileIron Core Remote Code Execution [10.0 / Critical]
- CVE-2021-41773: Apache HTTP Server Path Traversal [8.7 / High]
- CVE-2021-41174: Grafana AngularJS XSS [7.1 / High]
- CVE-2021-40539: Zoho ManageEngine ADSelfService Plus Remote Code Execution [9.3 / Critical]
- CVE-2021-40438: Apache mod_proxy Server-Side Request Forgery [9.5 / Critical]
- CVE-2021-35587: Oracle Access Manager Remote Code Execution [9.3 / Critical]
- CVE-2021-32602: FortiPortal Error Page XSS [6.3 / Medium]
- CVE-2021-29625: Adminer Reflected XSS [6.3 / Medium]
- CVE-2021-26084: Atlassian Confluence Server Remote Code Execution [10.0 / Critical]
- CVE-2021-24873: WordPress Plugin "Tutor LMS / eLearning and online course solution" (tutor) ... Reflected XSS in course search parameter [6.3 / Medium]
- CVE-2021-24278: WordPress Plugin "Redirection for Contact Form 7" (wpcf7-redirect) ... Predictable Nonce Allowing CSRF Bypass [6.9 / Medium]
- CVE-2021-22872: Revive Adserver XSS [7.8 / High]
- CVE-2021-22175: Gitlab SSRF [8.9 / High]
- CVE-2021-21975: VMware vRealize Operations Manager API SSRF [7.8 / High]
- CVE-2021-3021: ISPConfig SQL Injection [9.3 / Critical]
- CVE-2021-3007: Zend Framework3 Deserialize RCE [9.3 / Critical]
- CVE-2020-36287: Atlassian Jira Information Disclosure [6.9 / Medium]
- CVE-2020-35572: Adminer 4.7.8 XSS [7.8 / High]
- CVE-2020-14750: Oracle WebLogic Server Administration Console Remote Code Execution [9.3 / Critical]
- CVE-2020-14181: Atlassian Jira Username Enumeration [6.9 / Medium]
- CVE-2020-13379: Grafana Server-Side Request Forgery [7.8 / High]
- CVE-2020-12145: Silver-Peak Unity Orchestrator Authentication Bypass [7.5 / High]
- CVE-2020-11110: Grafana Cross-Site Scripting [6.3 / Medium]
- CVE-2020-11034: GLPI <9.4.6 Open Redirect [6.3 / Medium]
- CVE-2020-9376: D-Link DIR-610 Information Disclosure [6.9 / Medium]
- CVE-2020-8772: WordPress Plugin "InfiniteWP Client" (iwp-client) Unauthenticated Admin Access (Authentication Bypass) [6.9 / Medium]
- CVE-2020-8515: DrayTek Vigor Router Web Management Page Remote Code Execution [9.3 / Critical]
- CVE-2020-6950: Eclipse Mojarra Directory Traversal [5.1 / Medium]
- CVE-2020-3019: Lanproxy LFI [8.7 / High]
- CVE-2019-16758: Lexmark Services Monitor 2.27.4.0.39 Directory Traversal [8.7 / High]
- CVE-2019-14277: Axway SecureTransport XML External Entity [8.1 / High]
- CVE-2019-12593: IceWarp Mail Server Local File Inclusion [8.7 / High]
- CVE-2019-3826: Prometheus Stored XSS [6.3 / Medium]
- CVE-2019-0230: Apache Struts Double "OGNL" Evaluation [9.3 / Critical]
- CVE-2018-1000600: Jenkins SSRF [8.2 / High]
- CVE-2018-17283: Zoho ManageEngine OpManager SQL Injection [8.7 / High]
- CVE-2018-12596: Ektron CMS 9.20 SP2 Authentication Bypass [9.3 / Critical]
- CVE-2018-6526: MantisBT "view_all_bug_page.php" Full Path Disclosure [6.9 / Medium]
- CVE-2018-1273: Spring Data Commons Remote Code Execution [9.3 / Critical]
- CVE-2017-1000486: PrimeTek PrimeFaces Remote Code Execution [9.3 / Critical]
- CVE-2017-12097: Ruby on Rails delayed_job_web XSS [6.3 / Medium]
- CVE-2017-11512: ManageEngine ServiceDesk Path Traversal [8.7 / High]
- CVE-2017-9031: Deluge Path Traversal [6.9 / Medium]
- CVE-2017-7921: Hikvision IP Camera Authentication Bypass [8.9 / High]
- CVE-2016-0957: Adobe AEM Dispatcher Rules Bypass [10.0 / Critical]
- CVE-2016-0956: Adobe AEM Sling Information Disclosure [8.7 / High]
- CVE-2015-7297: Joomla! Component Content History Remote Code Execution [6.9 / Medium]
- CVE-2009-0766: Kipper 2.01 Local File Inclusion [8.7 / High]
- CVE-2006-1372: 1WebCalendar "ViewEvent.cfm?EventID" SQL Injection [6.9 / Medium]
- Bitrix Site Manager Open Redirect [6.1 / Medium]
Thanks for your feedback