🚀 Just released:
Latio 2026 Application Security Market Report.
Read it in our Whitepapers.
100% Signal 0% Noise
Platform
Invicti Platform
Zero-noise AppSec platform
Scan Code
Secure code before runtime
SAST
Early static security analysis
Open Source (SCA)
Find vulnerable dependencies
SBOM & License Risk
Generate SBOMs and track licenses
Secrets
Detect exposed secrets in applications
Infrastructure as Code
Ingest IaC security findings
Container
Track container image vulnerabilities
Test Runtime
Test live applications like attackers
DAST & AI DAST
Test runtime, prove exploitability
Agentic Pentesting
Automate real-world attack techniques
API Security Testing
Discover and test APIs
Attack Surface Management
Identify exposed apps and endpoints
Cloud AppSec
Get a single-pane view of cloud app risk
AI AppSec
Scan smarter, accelerate remediation
Manage Vulnerabilities
See, prioritize, reduce AppSec risk
Vulnerability Management (ASPM)
Centralize and correlate AppSec findings
Compliance & Executive Reporting
Measure risk and impact
Threat Intelligence
Reachability, exploitability, and business logic
Solutions
API Discovery
Manage Vulnerabilities
Automate Security Workflows
Track AppSec KPIs
Manage Open Source Risk
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Careers
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Invicti Learn
Savings Calculator
Live Training
Partners
Documentation
Get a demo
Home
/
Web Application Vulnerabilities
/ Abuse Of Functionality
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
v.26.3.2229
Abuse Of Functionality
This page lists
77 vulnerabilities
in this category.
Critical: 1
High: 52
Medium: 19
Low: 3
Information: 2
Vulnerability Name
CVE
CWE
Severity
Ivanti CSA Path Traversal (CVE-2024-8963/CVE-2024-8190)
CVE-2024-8190
CWE-22
Critical
Cross-site Scripting via File Upload
-
CWE-79
High
WordPress plugin WPtouch insecure nonce generation
-
CWE-287
High
Deserialization of Untrusted Data (XStream)
CVE-2020-26217
CWE-502
High
WordPress MailPoet Newsletters (wysija-newsletters) unauthenticated file upload
-
CWE-434
High
XSLT injection
-
CWE-91
High
Deserialization of Untrusted Data (.NET BinaryFormatter Object Deserialization)
-
CWE-502
High
Unrestricted file upload vulnerability in ofc_upload_image.php
CVE-2009-4140
CWE-434
High
Client-Side Prototype Pollution
-
-
High
WordPress plugin All in One SEO Pack privilege escalation vulnerabilities
-
CWE-269
High
webadmin.php script
-
CWE-552
High
Unrestricted File Upload
-
CWE-434
High
Prototype pollution
-
-
High
Deserialization of Untrusted Data (Java JSON Deserialization) Jackson
CVE-2017-7525
CWE-502
High
Python pickle serialization
-
CWE-502
High
Deserialization of Untrusted Data (Java Object Deserialization)
-
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO
-
CWE-502
High
Unprotected phpMyAdmin interface
-
CWE-205
High
XML entity injection
-
CWE-611
High
XML external entity injection and XML injection
-
CWE-611
High
XML external entity injection
-
CWE-611
High
XML External Entity Injection via external file
-
CWE-611
High
XML external entity injection via File Upload
-
CWE-611
High
XML external entity injection (variant)
-
CWE-611
High
Deserialization of Untrusted Data (Java JSON Deserialization) Fastjson
-
CWE-502
High
VirtueMart access control bypass
-
CWE-287
High
Unrestricted access to Haproxy Data Plane API
-
CWE-200
High
Uncontrolled format string
-
CWE-134
High
Apache Tomcat JK connector security bypass
CVE-2007-1860
CWE-200
High
AngularJS client-side template injection
-
CWE-79
High
File upload XSS (Java applet)
-
CWE-79
High
Web Cache Deception
-
-
High
WordPress plugin Custom Contact Forms critical vulnerability
-
CWE-287
High
DotNetNuke multiple vulnerabilities
CVE-2012-1030
CWE-79
High
Email Header Injection
-
CWE-20
High
Email injection
-
CWE-20
High
Database User Has Admin Privileges
-
CWE-267
High
node-serialize Insecure Deserialization
CVE-2017-5941
CWE-502
High
Unsafe use of Reflection
-
CWE-470
High
JIRA Security Advisory 2013-02-21
-
CWE-22
High
MongoDB $where operator JavaScript injection
-
CWE-943
High
JSP authentication bypass
-
CWE-287
High
Java Debug Wire Protocol remote code execution
-
CWE-94
High
MediaWiki chunked uploads security issue
CVE-2013-2114
CWE-434
High
MongoDB injection
-
CWE-943
High
Server-side JavaScript injection
-
CWE-20
High
Multiple vulnerabilities reported in Parallels Plesk Sitebuilder
-
CWE-94
High
Email Header Injection (Invicti IAST)
-
CWE-20
High
Rails mass assignment
-
CWE-915
High
Http redirect security bypass
-
CWE-20
High
Authentication bypass via MongoDB operator injection
-
CWE-943
High
TCPDF arbitrary file read
-
CWE-98
High
Deserialization of Untrusted Data (Java JSON Deserialization) Genson
-
CWE-502
High
URL rewrite vulnerability
CVE-2018-14773
CWE-436
Medium
Insecure usage of Version 1 UUID/GUID
-
CWE-328
Medium
Oracle E-Business Suite Frame Injection (CVE-2017-3528)
CVE-2017-3528
CWE-601
Medium
User-controlled form action
-
CWE-20
Medium
PHP unserialize() used on user input
-
CWE-20
Medium
PHP super-globals-overwrite
-
CWE-1108
Medium
File tampering
-
CWE-20
Medium
HTML form susceptible to spam
-
CWE-20
Medium
HTML Injection
-
CWE-80
Medium
Host header attack
-
CWE-20
Medium
JSF ViewState client side storage
-
CWE-693
Medium
Same origin method execution (SOME)
-
CWE-20
Medium
User controllable charset
-
CWE-20
Medium
WordPress XML-RPC authentication brute force
-
CWE-521
Medium
Java object deserialization of user-supplied data
-
CWE-20
Medium
PHP object deserialization of user-supplied data
-
CWE-20
Medium
PHP curl_exec() url is controlled by user
CVE-2009-0037
CWE-352
Medium
PHP preg_replace used on user input
-
CWE-20
Medium
Python object deserialization of user-supplied data
-
CWE-20
Medium
HTML Attribute Injection
-
CWE-80
Low
Ruby on Rails CookieStore session cookie persistence
-
CWE-284
Low
HTML Form found in redirect page
-
CWE-287
Low
1
2
»
