🚀 Just released:
Latio 2026 Application Security Market Report.
Read it in our Whitepapers.
100% Signal 0% Noise
Platform
Invicti Platform
Zero-noise AppSec platform
Scan Code
Secure code before runtime
SAST
Early static security analysis
Open Source (SCA)
Find vulnerable dependencies
SBOM & License Risk
Generate SBOMs and track licenses
Secrets
Detect exposed secrets in applications
Infrastructure as Code
Ingest IaC security findings
Container
Track container image vulnerabilities
Test Runtime
Test live applications like attackers
DAST & AI DAST
Test runtime, prove exploitability
Agentic Pentesting
Automate real-world attack techniques
API Security Testing
Discover and test APIs
Attack Surface Management
Identify exposed apps and endpoints
Cloud AppSec
Get a single-pane view of cloud app risk
AI AppSec
Scan smarter, accelerate remediation
Manage Vulnerabilities
See, prioritize, reduce AppSec risk
Vulnerability Management (ASPM)
Centralize and correlate AppSec findings
Compliance & Executive Reporting
Measure risk and impact
Threat Intelligence
Reachability, exploitability, and business logic
Solutions
API Discovery
Manage Vulnerabilities
Automate Security Workflows
Track AppSec KPIs
Manage Open Source Risk
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Careers
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Invicti Learn
Savings Calculator
Live Training
Partners
Documentation
Get a demo
Home
/
Web Application Vulnerabilities
/ Abuse Of Functionality
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
v.26.4.2314
Abuse Of Functionality
This page lists
76 vulnerabilities
in this category.
Critical: 1
High: 52
Medium: 18
Low: 3
Information: 2
Vulnerability Name
CVE
CWE
Severity
Ivanti CSA Path Traversal (CVE-2024-8963/CVE-2024-8190)
CVE-2024-8190
CWE-22
Critical
Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO
-
CWE-502
High
WordPress plugin All in One SEO Pack privilege escalation vulnerabilities
-
CWE-269
High
Unrestricted File Upload
-
CWE-434
High
Cross-site Scripting via File Upload
-
CWE-79
High
Unprotected phpMyAdmin interface
-
CWE-205
High
XML entity injection
-
CWE-611
High
XML external entity injection and XML injection
-
CWE-611
High
XML external entity injection
-
CWE-611
High
XML External Entity Injection via external file
-
CWE-611
High
XML external entity injection via File Upload
-
CWE-611
High
XML external entity injection (variant)
-
CWE-611
High
Deserialization of Untrusted Data (Java JSON Deserialization) Fastjson
-
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) Genson
-
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) Jackson
CVE-2017-7525
CWE-502
High
Deserialization of Untrusted Data (Java Object Deserialization)
-
CWE-502
High
XSLT injection
-
CWE-91
High
Python pickle serialization
-
CWE-502
High
Prototype pollution
-
-
High
Client-Side Prototype Pollution
-
-
High
Deserialization of Untrusted Data (.NET BinaryFormatter Object Deserialization)
-
CWE-502
High
Deserialization of Untrusted Data (XStream)
CVE-2020-26217
CWE-502
High
Unrestricted access to Haproxy Data Plane API
-
CWE-200
High
Authentication bypass via MongoDB operator injection
-
CWE-943
High
Email Header Injection (Invicti IAST)
-
CWE-20
High
MongoDB $where operator JavaScript injection
-
CWE-943
High
Unsafe use of Reflection
-
CWE-470
High
node-serialize Insecure Deserialization
CVE-2017-5941
CWE-502
High
Database User Has Admin Privileges
-
CWE-267
High
Web Cache Deception
-
-
High
Unrestricted file upload vulnerability in ofc_upload_image.php
CVE-2009-4140
CWE-434
High
webadmin.php script
-
CWE-552
High
WordPress MailPoet Newsletters (wysija-newsletters) unauthenticated file upload
-
CWE-434
High
Http redirect security bypass
-
CWE-20
High
AngularJS client-side template injection
-
CWE-79
High
File upload XSS (Java applet)
-
CWE-79
High
WordPress plugin Custom Contact Forms critical vulnerability
-
CWE-287
High
DotNetNuke multiple vulnerabilities
CVE-2012-1030
CWE-79
High
Email Header Injection
-
CWE-20
High
Email injection
-
CWE-20
High
JIRA Security Advisory 2013-02-21
-
CWE-22
High
JSP authentication bypass
-
CWE-287
High
Java Debug Wire Protocol remote code execution
-
CWE-94
High
MediaWiki chunked uploads security issue
CVE-2013-2114
CWE-434
High
MongoDB injection
-
CWE-943
High
Multiple vulnerabilities reported in Parallels Plesk Sitebuilder
-
CWE-94
High
Rails mass assignment
-
CWE-915
High
Server-side JavaScript injection
-
CWE-20
High
TCPDF arbitrary file read
-
CWE-98
High
Apache Tomcat JK connector security bypass
CVE-2007-1860
CWE-200
High
Uncontrolled format string
-
CWE-134
High
WordPress plugin WPtouch insecure nonce generation
-
CWE-287
High
VirtueMart access control bypass
-
CWE-287
High
Oracle E-Business Suite Frame Injection (CVE-2017-3528)
CVE-2017-3528
CWE-601
Medium
Java object deserialization of user-supplied data
-
CWE-20
Medium
WordPress XML-RPC authentication brute force
-
CWE-521
Medium
Insecure usage of Version 1 UUID/GUID
-
CWE-328
Medium
PHP object deserialization of user-supplied data
-
CWE-20
Medium
Python object deserialization of user-supplied data
-
CWE-20
Medium
File tampering
-
CWE-20
Medium
HTML Injection
-
CWE-80
Medium
Host header attack
-
CWE-20
Medium
Same origin method execution (SOME)
-
CWE-20
Medium
User controllable charset
-
CWE-20
Medium
JSF ViewState client side storage
-
CWE-693
Medium
URL rewrite vulnerability
CVE-2018-14773
CWE-436
Medium
PHP curl_exec() url is controlled by user
CVE-2009-0037
CWE-352
Medium
PHP preg_replace used on user input
-
CWE-20
Medium
PHP super-globals-overwrite
-
CWE-1108
Medium
PHP unserialize() used on user input
-
CWE-20
Medium
User-controlled form action
-
CWE-20
Medium
HTML Attribute Injection
-
CWE-80
Low
HTML Form found in redirect page
-
CWE-287
Low
Ruby on Rails CookieStore session cookie persistence
-
CWE-613
Low
HTML Injection (requiring unencoded tag delimiter)
-
CWE-80
Information
1
2
»
