v3.0.0 - Latest Threat Classes
Latest Threat Classes
10 new vulnerability patterns added across 6 new CWE categories. VulnBank now covers 500+ findings, 28 CWE categories, and 14 MITRE ATT&CK techniques.
New Vulnerabilities
| Endpoint | Vulnerability | Standard |
|---|---|---|
GET /notify |
SSTI - Jinja2 template injection via unsanitised msg param |
CWE-94 |
POST /api/ai/advice |
Prompt Injection - user input concatenated into LLM system prompt | OWASP LLM01:2025 |
POST /api/users/update |
Mass Assignment - unrestricted JSON field merge allows role escalation | CWE-915 / OWASP API3:2023 |
POST /api/token/verify |
JWT Algorithm Confusion - "alg":"none" accepted, signature bypassed |
CWE-347 / OWASP API2:2023 |
GET /api/transactions/<id> |
BOLA - no ownership check, any user reads any transaction | CWE-285 / OWASP API1:2023 |
GET /api/validate/email |
ReDoS - catastrophic regex backtracking on crafted input | CWE-1333 |
GET /api/account/balance |
CORS Misconfiguration - wildcard origin + credentials allows cross-origin data theft | CWE-942 |
POST /api/import/statement |
XXE - XML external entity via unprotected ElementTree parser | CWE-611 |
POST /api/settings/merge |
Prototype Pollution - unrestricted dict merge overwrites internal keys | CWE-1321 |
GET /api/redirect |
HTTP Response Splitting - unsanitised Location header, CRLF injectable | CWE-113 |
Why These?
These are the vulnerability classes most commonly exploited in recent breaches:
- Prompt Injection is the #1 LLM security risk (OWASP LLM Top 10 2025)
- BOLA / Mass Assignment dominate the OWASP API Security Top 10 2023
- JWT algorithm confusion underpins recent auth bypass CVEs
- ReDoS has caused production outages at Cloudflare, Stack Overflow, and others
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy