🚀 Just released:
Latio 2026 Application Security Market Report.
Read it in our Whitepapers.
100% Signal 0% Noise
Platform
Invicti Platform
Zero-noise AppSec platform
Scan Code
Secure code before runtime
SAST
Early static security analysis
Open Source (SCA)
Find vulnerable dependencies
SBOM & License Risk
Generate SBOMs and track licenses
Secrets
Detect exposed secrets in applications
Infrastructure as Code
Ingest IaC security findings
Container
Track container image vulnerabilities
Test Runtime
Test live applications like attackers
DAST & AI DAST
Test runtime, prove exploitability
Agentic Pentesting
Automate real-world attack techniques
API Security Testing
Discover and test APIs
Attack Surface Management
Identify exposed apps and endpoints
Cloud AppSec
Get a single-pane view of cloud app risk
AI AppSec
Scan smarter, accelerate remediation
Manage Vulnerabilities
See, prioritize, reduce AppSec risk
Vulnerability Management (ASPM)
Centralize and correlate AppSec findings
Compliance & Executive Reporting
Measure risk and impact
Threat Intelligence
Reachability, exploitability, and business logic
Solutions
API Discovery
Manage Vulnerabilities
Automate Security Workflows
Track AppSec KPIs
Manage Open Source Risk
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Careers
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Invicti Learn
Savings Calculator
Live Training
Partners
Documentation
Get a demo
Home
/
Web Application Vulnerabilities
/ Medium Severity
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
v.26.4.2314
Medium Severity Vulnerabilities
Found
8734 vulnerabilities
at
Medium
severity.
Vulnerability Name
CVE
CWE
Severity
Pyramid DebugToolbar enabled
-
CWE-200
Medium
SAP BO BIP SSRF (CVE-2020-6308)
CVE-2020-6308
CWE-918
Medium
SAP ICF URL redirection Vulnerability
-
CWE-601
Medium
Vulnerable package dependencies [medium]
-
CWE-1104
Medium
Adminer Server Side Request Forgery (SSRF)
CVE-2021-21311
CWE-918
Medium
Apache Airflow Exposed configuration
-
CWE-200
Medium
Django Debug Toolbar
-
CWE-200
Medium
Reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF)
-
CWE-918
Medium
Jetty ConcatServlet Information Disclosure (CVE-2021-28169)
CVE-2021-28169
CWE-200
Medium
Jetty Information Disclosure (CVE-2021-34429)
CVE-2021-28164
CWE-200
Medium
Joomla Debug Console enabled
-
CWE-200
Medium
Joomla J!Dump extension enabled
-
CWE-200
Medium
Keycloak request_uri SSRF (CVE-2020-10770)
CVE-2020-10770
CWE-918
Medium
Express Development Mode enabled
-
CWE-200
Medium
Node.js Web Application does not handle uncaughtException
-
CWE-248
Medium
Node.js Web Application does not handle unhandledRejection
-
CWE-248
Medium
Unprotected Apache NiFi API interface
-
CWE-287
Medium
Unprotected Kong Gateway Admin API interface
-
CWE-287
Medium
Unauthorized Access to a web app installer
-
CWE-200
Medium
Apache APISIX default token (CVE-2020-13945/CVE-2022-24112)
CVE-2022-24112
CWE-259
Medium
ASP.NET forms authentication using inadequate protection
-
CWE-345
Medium
ASP.NET header checking is disabled in web.config
-
CWE-113
Medium
ASP.NET potential HTTP Verb Tampering
-
CWE-288
Medium
ASP.NET Deny missing from authorization rule on location
-
CWE-288
Medium
ASP.NET event validation disabled
-
CWE-345
Medium
ASP.NET expired session IDs are not regenerated
-
CWE-384
Medium
ASP.NET viewstate encryption disabled
-
CWE-319
Medium
ASP.NET WCF replay attacks are not detected
-
CWE-294
Medium
ASP.NET WCF metadata enabled for behavior
-
CWE-200
Medium
ASP.NET WCF service include exception details
-
CWE-209
Medium
InfluxDB Unauthorized Access Vulnerability
-
CWE-200
Medium
Magento Config File Disclosure
-
CWE-200
Medium
Oracle E-Business Suite iStore open user registration
CVE-2022-21500
CWE-200
Medium
Citrix ADC NetScaler Local File Inclusion (CVE-2020-8193)
CVE-2020-8193
CWE-284
Medium
Go web application binary disclosure
-
CWE-540
Medium
Insecure usage of Version 1 UUID/GUID
-
CWE-328
Medium
Phpfastcache phpinfo publicly accessible (CVE-2021-37704)
CVE-2021-37704
CWE-200
Medium
Axis development mode enabled in WEB-INF/server-config.wsdd
-
CWE-489
Medium
Axis system configuration listing enabled in WEB-INF/server-config.wsdd
-
CWE-200
Medium
Custom Error Pages Are Not Configured in WEB-INF/web.xml
-
CWE-209
Medium
Overly long session timeout in servlet configuration
-
CWE-613
Medium
Unsafe value for session tracking in WEB-INF/web.xml
-
CWE-598
Medium
Spring Boot Misconfiguration: Actuator endpoint security disabled
-
CWE-749
Medium
Spring Boot Misconfiguration: Admin MBean enabled
-
CWE-749
Medium
Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
-
CWE-200
Medium
Spring Boot Misconfiguration: Developer tools enabled on production
-
CWE-489
Medium
Spring Misconfiguration: HTML Escaping disabled
-
CWE-116
Medium
Spring Boot Misconfiguration: Overly long session timeout
-
CWE-613
Medium
Spring Boot Misconfiguration: Unsafe value for session tracking
-
CWE-598
Medium
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
-
CWE-312
Medium
Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
-
CWE-312
Medium
Struts 2 Config Browser plugin enabled
-
CWE-200
Medium
Verb tampering via misconfigured security constraint
-
CWE-288
Medium
CodeIgniter development mode enabled
-
CWE-489
Medium
Drupal configuration file weak file permissions
-
CWE-732
Medium
Drupal trusted_host_patterns setting not configured
-
-
Medium
Laravel debug mode enabled (Invicti IAST)
-
CWE-489
Medium
Symfony debug mode enabled (Invicti IAST)
-
CWE-489
Medium
Symfony running in dev mode
-
CWE-489
Medium
WordPress configuration file weak file permissions
-
CWE-732
Medium
WordPress allows editing theme/plugin files
-
CWE-749
Medium
Yii debug mode enabled
-
CWE-489
Medium
Yii running in dev mode
-
CWE-489
Medium
Sonicwall SMA 100 Unintended proxy (CVE-2021-20042)
CVE-2021-20042
CWE-441
Medium
SAP NW KW XSS vulnerability (CVE-2021-42063)
CVE-2021-42063
CWE-79
Medium
ServiceNow logout XSS (CVE-2022-38463)
CVE-2022-38463
CWE-79
Medium
Active Mixed Content over HTTPS
-
CWE-1428
Medium
ASP.NET Core Development Mode enabled
-
CWE-200
Medium
Open Silverlight Client Access Policy
-
CWE-942
Medium
Insecure crossdomain.xml policy
-
CWE-942
Medium
GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability
-
CWE-400
Medium
GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability
-
CWE-400
Medium
GraphQL Field Suggestions Enabled
-
CWE-200
Medium
GraphQL Non-JSON Queries over GET: Potential CSRF Vulnerability
-
CWE-352
Medium
GraphQL Non-JSON Mutations over GET: Potential CSRF Vulnerability
-
CWE-352
Medium
« Previous
1
2
3
4
5
6
7
8
9
...
117
Next »
