Skip to content

v3.0.0 - Latest Threat Classes

Choose a tag to compare

@OmarRao OmarRao released this 17 Jun 14:34

Latest Threat Classes

10 new vulnerability patterns added across 6 new CWE categories. VulnBank now covers 500+ findings, 28 CWE categories, and 14 MITRE ATT&CK techniques.

New Vulnerabilities

Endpoint Vulnerability Standard
GET /notify SSTI - Jinja2 template injection via unsanitised msg param CWE-94
POST /api/ai/advice Prompt Injection - user input concatenated into LLM system prompt OWASP LLM01:2025
POST /api/users/update Mass Assignment - unrestricted JSON field merge allows role escalation CWE-915 / OWASP API3:2023
POST /api/token/verify JWT Algorithm Confusion - "alg":"none" accepted, signature bypassed CWE-347 / OWASP API2:2023
GET /api/transactions/<id> BOLA - no ownership check, any user reads any transaction CWE-285 / OWASP API1:2023
GET /api/validate/email ReDoS - catastrophic regex backtracking on crafted input CWE-1333
GET /api/account/balance CORS Misconfiguration - wildcard origin + credentials allows cross-origin data theft CWE-942
POST /api/import/statement XXE - XML external entity via unprotected ElementTree parser CWE-611
POST /api/settings/merge Prototype Pollution - unrestricted dict merge overwrites internal keys CWE-1321
GET /api/redirect HTTP Response Splitting - unsanitised Location header, CRLF injectable CWE-113

Why These?

These are the vulnerability classes most commonly exploited in recent breaches:

  • Prompt Injection is the #1 LLM security risk (OWASP LLM Top 10 2025)
  • BOLA / Mass Assignment dominate the OWASP API Security Top 10 2023
  • JWT algorithm confusion underpins recent auth bypass CVEs
  • ReDoS has caused production outages at Cloudflare, Stack Overflow, and others

Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy