new tests
February 06, 2026
Now testing for the following vulnerabilities
New tests built and released by Alfred, our AI Security Researcher:
Haven't met Alfred yet? You can read more about how we're using AI to discover, source, and build tests for CVEs here.
- CVE-2025-68645: Zimbra Collaboration RestFilter Local File Inclusion [5.9 / Medium]
- CVE-2025-41646: RevPi Webstatus Authentication Bypass [9.3 / Critical]
- CVE-2025-31131: YesWiki Path Traversal [6.9 / Medium]
- CVE-2022-31137: Roxy-WI "options.py" Remote Code Execution [9.3 / Critical]
- CVE-2021-20116: TCExam Reflected XSS [6.3 / Medium]
- CVE-2021-20115: TCExam "tce_filemanager.php" Reflected XSS [6.3 / Medium]
- CVE-2020-11546: SuperWebMailer Remote Code Execution [9.3 / Critical]
- CVE-2019-5127: YouPHPTube Encoder 2.3 - Remote Command Injection [10.0 / Critical]
- CVE-2017-7630: QNAP QTS "sysinfoReq.cgi" Information Disclosure [6.9 / Medium]
- CVE-2014-7863: ManageEngine OpManager Arbitrary File Download [8.7 / High]
New tests released based on submissions by our Detectify Crowdsource hackers:
- CVE-2026-1340: Ivanti Endpoint Manager Mobile Remote Code Execution [9.3 / Critical]
- CVE-2026-1281: Ivanti Endpoint Manager Mobile (EPMM) Code Injection [9.3 / Critical]
- CVE-2025-62168: Squid HTTP Proxy Credential Disclosure [9.2 / Critical]
- CVE-2025-55184: React Server Components Denial Of Service [8.7 / High]
- CVE-2024-25673: Couchbase Open Redirect [5.1 / Medium]
- CVE-2024-6690: WordPress Content Copy Protection & No Right Click Open Redirect [6.9 / Medium]
- CVE-2021-35250: SolarWinds Serv-U 15.3 Directory Traversal [8.7 / High]
- CVE-2021-20086: jQuery BBQ Prototype Pollution DOM XSS [5.4 / Medium]
- CVE-2020-35774: Twitter Server Reflected XSS [6.2 / Medium]
- Polycom HDX Exposure [6.9 / Medium]
- SmarterMail Installer Exposure [9.3 / Critical]
- Weaviate Exposure / Anonymous Access Enabled [8.8 / High]
New tests released by Detectify staff:
- CVE-2024-48914: Vendure Arbitrary File Read [0.0 / Information]
- CVE-2024-33605: Sharp Multifunction Printers Path Traversal [8.7 / High]
- CVE-2024-33605: Sharp Multifunction Printers Directory Listing [8.7 / High]
- CVE-2024-8957: PTZOptics PT30X-SDI/NDI Cameras Remote Code Execution [8.6 / High]
- UniFi Wizard Installer Exposure [10.0 / Critical]
- Yawcam Exposure [6.9 / Medium]
- CVE-2022-21371: Oracle WebLogic Server Local File Inclusion [8.7 / High]
- CVE-2021-42237: Sitecore Experience Platform "Deprecated Endpoint" Remote Code Execution [10.0 / Critical]
- CVE-2021-38647: Microsoft OMI Remote Code Execution [9.3 / Critical]
- CVE-2021-32828: Nuxeo Platform OAuth2 Automation API Remote Code Execution [9.3 / Critical]
- CVE-2021-22881: Ruby On Rails "Host Header" Open Redirect [5.3 / Medium]
- CVE-2021-21287: MinIO Browser API SSRF [6.9 / Medium]
- CVE-2021-3129: Laravel Ignition Remote Code Execution [9.3 / Critical]
- CVE-2020-26879: Ruckus vRioT IoT Controller Remote Code Execution [9.3 / Critical]
- CVE-2020-25223: Sophos SG UTM WebAdmin Remote Code Execution [9.3 / Critical]
- CVE-2020-16846: SaltStack Remote Code Execution [9.3 / Critical]
- CVE-2020-10770: Keycloak "request_uri" Blind SSRF [6.9 / Medium]
- CVE-2019-16278: Nostromo nhttpd Remote Code Execution [9.3 / Critical]
- CVE-2019-11604: Quest KACE Reflected XSS [5.3 / Medium]
- CVE-2019-9918: Harmis JE Messenger Joomla Component SQL Injection [9.3 / Critical]
- CVE-2019-7238: Sonatype Nexus Repository Manager Remote Code Execution [9.3 / Critical]
- CVE-2019-2767: Oracle Business Intelligence Publisher XML External Entity Injection [6.9 / Medium]
- CVE-2019-2725: Oracle WebLogic Server AsyncResponseService Remote Code Execution [9.3 / Critical]
- CVE-2019-2616: Oracle Business Intelligence XML Publisher XML External Entity Injection [6.9 / Medium]
- CVE-2019-2413: Oracle Reports Developer Component 12.2.1.3 Reflected XSS [5.1 / Medium]
- CVE-2018-19439: Oracle Secure Global Desktop Administration Console Cross-Site Scripting [5.1 / Medium]
- CVE-2018-19274: phpBB Phar Remote Code Execution [8.6 / High]
- CVE-2018-18778: ACME mini_httpd Local File Inclusion [8.7 / High]
- CVE-2018-17254: Joomla JCK Editor SQL Injection [9.3 / Critical]
- CVE-2018-17082: Apache2 Transfer-Encoding Chunked XSS [5.3 / Medium]
- CVE-2018-16619: Sonatype Nexus Repository Manager Cross-Site Scripting [5.3 / Medium]
- CVE-2018-11409: Splunk "__raw" Server Information Disclosure [6.9 / Medium]
- CVE-2018-10068: Joomla jDownloads Cross-Site Scripting [0.0 / Information]
- CVE-2018-8947: Laravel Log Viewer Arbitrary File Deletion [8.7 / High]
- CVE-2018-7491: PrestaShop Clickjacking [5.3 / Medium]
- CVE-2018-7318: Joomla "com_checklist" SQL Injection [9.3 / Critical]
- CVE-2018-7315: Joomla "com_ekrishta" SQL Injection [9.3 / Critical]
- CVE-2018-7314: Joomla PrayerCenter "sessionid" SQL Injection [9.3 / Critical]
- CVE-2018-7312: Joomla Alexandria Book Library com_abook "letter" SQL Injection [9.3 / Critical]
- CVE-2018-7180: Joomla Saxum Astro SQL Injection [9.3 / Critical]
- CVE-2018-7179: Joomla SquadManagement SQL Injection [9.3 / Critical]
- CVE-2018-7178: Joomla Saxum Picker SQL Injection [9.3 / Critical]
- CVE-2018-7177: Joomla Saxum Numerology SQL Injection [9.3 / Critical]
- CVE-2018-6582: Joomla "com_zhgooglemap" SQL Injection [9.3 / Critical]
- CVE-2018-3167: Oracle E-Business Suite SSRF [6.9 / Medium]
- CVE-2018-2791: Oracle WebCenter Sites Cross-Site Scripting [6.2 / Medium]
- CVE-2017-1000028: Oracle GlassFish Server 4.1 Directory Traversal [8.7 / High]
- CVE-2017-1000028: Oracle GlassFish Server Path Traversal [8.7 / High]
- CVE-2017-17736: Kentico CMS Installer Privilege Escalation [9.3 / Critical]
- CVE-2017-16877: Next.js <2.4.1 Local File Inclusion [8.7 / High]
- CVE-2017-15946: Joomla com_tag SQL Injection [9.3 / Critical]
- CVE-2017-12637: SAP NetWeaver Application Server Java 7.5 Local File Inclusion [8.7 / High]
- CVE-2017-11460: SAP NetWeaver Portal DataArchivingService "shp/shp_result.jsp" "responsecode" Reflected XSS [5.3 / Medium]
- CVE-2017-10271: Oracle WebLogic Server wls-wsat Remote Code Execution [9.3 / Critical]
- CVE-2017-10246: Oracle E-Business Suite Server-Side Request Forgery [6.9 / Medium]
- CVE-2017-10106: Oracle PeopleSoft PeopleTools Portal TestServlet Reflected XSS [5.1 / Medium]
- CVE-2017-10075: Oracle WebCenter Sites Content Server Cross-Site Scripting [6.2 / Medium]
- CVE-2017-9356: Sitecore 7.1/7.2 Search-Results "searchStr" Reflected XSS [5.3 / Medium]
- CVE-2017-8514: Microsoft SharePoint Reflected XSS [5.3 / Medium]
- CVE-2017-5966: Sitecore CRM 8.1 "download.aspx" Arbitrary File Read [7.1 / High]
- CVE-2017-3549: Oracle E-Business Suite 12.2.3 "IESFOOTPRINT" SQL Injection [9.3 / Critical]
- CVE-2017-3548: Oracle PeopleSoft Integration Gateway "PeopleSoftServiceListeningConnector" XXE [6.9 / Medium]
- CVE-2017-3546: Oracle PeopleSoft IMServlet Server-Side Request Forgery [6.9 / Medium]
- CVE-2017-3528: Oracle E-Business Suite Open Redirect [5.1 / Medium]
- CVE-2017-0055: Microsoft Internet Information Reflected XSS [5.3 / Medium]
- CVE-2016-5110: LiteSpeed HTTP Header Injection [5.3 / Medium]
- CVE-2016-3976: SAP NetWeaver Directory Traversal [8.7 / High]
- CVE-2016-3436: Oracle E-Business Suite "Common Applications Calendar" Cross-Site Scripting [6.2 / Medium]
- CVE-2016-2389: SAP xMII For SAP NetWeaver Local File Inclusion [8.7 / High]
- CVE-2016-2387: SAP NetWeaver AS Java ProxyServer Servlet Reflected XSS [5.3 / Medium]
- CVE-2016-2386: SAP NetWeaver UDDI SQL Injection [9.3 / Critical]
- CVE-2016-0457: Oracle E-Business Suite "OA_HTML/lcmServiceController.jsp" XML External Entity [6.9 / Medium]
- CVE-2015-5608: Joomla com_user Open Redirect [5.3 / Medium]
- CVE-2015-4851: Oracle E-Business Suite iSupplier Portal XXE Injection [9.2 / Critical]
- CVE-2015-1397: Magento eCommerce Shoplift Remote Code Execution [9.3 / Critical]
- CVE-2014-100004: Sitecore "xmlcontrol" Reflected XSS [5.3 / Medium]
- CVE-2014-7981: Joomla Weblinks-Categories SQL Injection [9.3 / Critical]
- CVE-2014-4210: Oracle WebLogic Server-Side Request Forgery [6.9 / Medium]
- CVE-2014-4161: SAP NetWeaver SRM "la/umTestSSO.jsp" Reflected XSS [5.3 / Medium]
- CVE-2014-3744: Node.js "st" Module Directory Traversal [8.7 / High]
- CVE-2009-2163: Sitecore CMS "default.aspx" Reflected XSS [5.3 / Medium]
- CVE-2009-1975: Oracle WebLogic Server "console-help.portal" Cross-Site Scripting [5.1 / Medium]
- CVE-2007-6055: Liferay Portal Login Cross-Site Scripting [5.3 / Medium]
- ASP.NET Debug Mode Enabled [6.9 / Medium]
- ASP.NET Stack Trace Disclosure [6.9 / Medium]
- Deployment Documentation Exposure [0.0 / Information]
- Django Tastypie XXE Injection [8.7 / High]
- Error Message Disclosure [0.0 / Information]
- Flash Cross-Domain Policy Unrestricted Access [0.0 / Information]
- Flash Cross-Domain Policy Wildcard Access [0.0 / Information]
- Internal Server Error [0.0 / Information]
- Joomla Flash XSS in FlashMediaElement [0.0 / Information]
- Joomla SecurityCheck Extension SQL Injection [9.3 / Critical]
- Joomla Xtec Theme Reflected XSS [5.3 / Medium]
- Joomla! - J!Dump Information Disclosure [6.9 / Medium]
- Joomla! Component JMultipleHotelReservation SQL Injection [9.3 / Critical]
- Joomla! Component JooCart SQL Injection [9.3 / Critical]
- Joomla! Component Simple Membership SQL Injection [9.3 / Critical]
- Joomla! Component com_news SQL Injection [9.3 / Critical]
- Joomla! Component com_phocadownload SQL Injection [9.3 / Critical]
- Joomla! Component com_publication SQL Injection [9.3 / Critical]
- Joomla! Fabrik Image Path Traversal [7.7 / High]
- Joomla! com_advertisementboard SQL Injection [9.3 / Critical]
- Joomla! com_ekrishta SQL Injection [9.3 / Critical]
- Joomla! com_extrasearch SQL Injection [9.3 / Critical]
- Joomla! com_filecabinet SQL Injection [9.3 / Critical]
- Joomla! com_frontpage SQL Injection [9.3 / Critical]
- Joomla! com_jcart SQL Injection [9.3 / Critical]
- Joomla! com_jdownloads SQL Injection [9.3 / Critical]
- Joomla! com_vik SQL Injection [9.3 / Critical]
- Joomla! com_vikrentcar SQL Injection [9.3 / Critical]
- Joomla! com_vikrentitems SQL Injection [9.3 / Critical]
- Joomla! com_webgrouper SQL Injection [9.3 / Critical]
- Joomla! jcruiseportal SQL Injection [9.3 / Critical]
- Kentico CMS DevicePreview XSS [6.2 / Medium]
- Laravel Exception Stack Trace Exposure [6.9 / Medium]
- Liferay Portal SSRF [6.9 / Medium]
- Locomotive Cross-Site Scripting [6.3 / Medium]
- Lua Stack Trace Exposure [6.9 / Medium]
- Lynk Zipper Exposure [6.9 / Medium]
- Magento Admin Panel Disclosure [6.9 / Medium]
- Magento Admin Path Disclosure (SUPEE-5994) [6.9 / Medium]
- Magento Anonymous Web API Access (APPSEC-1378) [6.9 / Medium]
- Magento Connect Manager Exposure [6.9 / Medium]
- Magento Customer Information Leak via RSS (SUPEE-6285) [8.7 / High]
- Magento Exposed Cron Script (EDB-38651) [8.6 / High]
- Magento Flash XSS [0.0 / Information]
- Magento Follow Up Email SQL Injection & Path Traversal [9.3 / Critical]
- Magento Mlx RCE [9.3 / Critical]
- Magento Package Disclosure [0.0 / Information]
- Magento XXE Local File Disclosure (ZF2012-01) [8.7 / High]
- Magmi (Magento Mass Importer) Exposure [6.9 / Medium]
- Magnolia Admin Panel Exposure [6.9 / Medium]
- MediaWiki Special Version Information Disclosure [6.9 / Medium]
- MicroStrategy SSRF [8.7 / High]
- Microsoft Exchange Server 2007 XXE [9.3 / Critical]
- Moodle Flowplayer Flash XSS (MSA-15-0041) [0.0 / Information]
- Movable Type Configuration Backup Disclosure [6.9 / Medium]
- Mutt Configuration Disclosure [6.9 / Medium]
- MyBB Remote Code Execution [9.3 / Critical]
- Nagios Network Status Exposure [8.7 / High]
- Next.js Cross-Site Scripting [5.3 / Medium]
- Nexus Repository Manager Default Credentials [9.3 / Critical]
- One2Com Blind SQL Injection [9.3 / Critical]
- Oracle BI Discoverer Viewer Open Redirect [5.1 / Medium]
- Oracle Reports Diagnostic Endpoint Exposure [6.9 / Medium]
- Oracle Reports Unprotected Servlet Key Map [9.3 / Critical]
- PHP Error Log Exposure [6.9 / Medium]
- PHP Xdebug Remote Code Execution [9.2 / Critical]
- PHP print_r Sensitive Data Exposure [6.9 / Medium]
- Parallels Plesk Remote Code Execution [10.0 / Critical]
- Perl Source Code Disclosure [6.9 / Medium]
- Piwik Server Information Disclosure [6.9 / Medium]
- Piwik Unauthenticated Access [6.9 / Medium]
- Predis Example Files Exposure [6.9 / Medium]
- Preemtech Reflected XSS [5.3 / Medium]
- Python Object Transformation Error Disclosure [6.9 / Medium]
- Python Source Code Disclosure [6.9 / Medium]
- Roxy File Manager Exposure [6.9 / Medium]
- Ruby on Rails CSRF Token Leakage via CSS Side-Channel [2.3 / Low]
- SAP ConfigServlet Arbitrary Command Execution [9.3 / Critical]
- SAP ICF Information Exposure [6.9 / Medium]
- SAP NetWeaver CAFAdapterTest Servlet Reflected XSS [5.3 / Medium]
- Serendipity Open Redirect [5.3 / Medium]
- Silverlight Client Access Policy Unrestricted Access [0.0 / Information]
- Silverlight Client Access Policy Wildcard Access [0.0 / Information]
- Sitecore CMS Open Redirect [5.3 / Medium]
- Spring Boot Actuator Path Traversal [6.9 / Medium]
- Spring Boot SSTI Via Whitelabel Error Page [9.3 / Critical]
- Sublime SFTP Configuration Exposure [2.7 / Low]
- Yahei-PHP Prober Exposure [6.9 / Medium]
- Zend Configuration Disclosure [8.7 / High]
- Zend Framework Exception Stack Trace Exposure [6.9 / Medium]
- jQuery-File-Upload ImageMagick/GhostScript RCE [9.2 / Critical]
- myDBR Cross-Site Scripting [7.8 / High]
- myDBR Local File Inclusion [8.7 / High]
- phpMyAdmin Backdoor (PMASA-2012-5) [9.3 / Critical]
- phpMyAdmin Directory Listing via Path Traversal [6.9 / Medium]
- phpSysInfo Information Disclosure [6.9 / Medium]
- CVE-2025-54254: Adobe Experience Manager Forms Arbitrary File Read [9.2 / Critical]
- CVE-2024-4956: Sonatype Nexus Repository Manager 3 Local File Inclusion [7.7 / High]
- CVE-2021-21234: Spring Boot Actuator LogView Path Traversal [8.3 / High]
- CVE-2018-16341: Nuxeo Remote Code Execution [10.0 / Critical]
- CVE-2008-0703: SFLOG! 0.96 Remote File Disclosure [6.9 / Medium]
- ACTI Video Surveillance LFI [6.9 / Medium]
- Bitrix Site Manager Open Redirect [6.1 / Medium]
- Composer Configuration Disclosure [2.7 / Low]
- Malicious CDN Domain ("Polyfill") in Script Source [6.3 / Medium]
- Remmina VNC Exposure [9.3 / Critical]
- Ruby Bundler Gemfile.lock Exposure [6.9 / Medium]
- Spring Boot Actuator / JMX [10.0 / Critical]
Thanks for your feedback