🚀 Just released:
Latio 2026 Application Security Market Report.
Read it in our Whitepapers.
100% Signal 0% Noise
Platform
Invicti Platform
Zero-noise AppSec platform
Scan Code
Secure code before runtime
SAST
Early static security analysis
Open Source (SCA)
Find vulnerable dependencies
SBOM & License Risk
Generate SBOMs and track licenses
Secrets
Detect exposed secrets in applications
Infrastructure as Code
Ingest IaC security findings
Container
Track container image vulnerabilities
Test Runtime
Test live applications like attackers
DAST & AI DAST
Test runtime, prove exploitability
Agentic Pentesting
Automate real-world attack techniques
API Security Testing
Discover and test APIs
Attack Surface Management
Identify exposed apps and endpoints
Cloud AppSec
Get a single-pane view of cloud app risk
AI AppSec
Scan smarter, accelerate remediation
Manage Vulnerabilities
See, prioritize, reduce AppSec risk
Vulnerability Management (ASPM)
Centralize and correlate AppSec findings
Compliance & Executive Reporting
Measure risk and impact
Threat Intelligence
Reachability, exploitability, and business logic
Solutions
API Discovery
Manage Vulnerabilities
Automate Security Workflows
Track AppSec KPIs
Manage Open Source Risk
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Careers
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Invicti Learn
Savings Calculator
Live Training
Partners
Documentation
Get a demo
Home
/
Web Application Vulnerabilities
/ Configuration
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
v.26.3.2229
Configuration
This page lists
407 vulnerabilities
in this category.
Critical: 4
High: 133
Medium: 174
Low: 51
Information: 45
Vulnerability Name
CVE
CWE
Severity
ASP.NET ASPX debugging enabled
-
CWE-11
Medium
SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
-
CWE-200
Medium
ASP.NET CustomErrors Is Disabled
-
CWE-12
Medium
ASP.NET cookies accessible from client-side scripts
-
CWE-1004
Medium
Hadoop cluster web interface
-
CWE-200
Medium
ASP.NET Cookieless session state enabled
-
CWE-598
Medium
Yii2 weak secret key
-
CWE-693
Medium
Web2py weak secret key
-
CWE-693
Medium
TLS/SSL Weak Cipher Suites
-
CWE-310
Medium
Cookie signed with weak secret key
-
CWE-693
Medium
Tornado weak secret key
-
CWE-693
Medium
Symfony ESI (Edge-Side Includes) enabled
-
CWE-16
Low
TRACE Method enabled
-
CWE-489
Low
Apache mod_negotiation filename bruteforcing
-
CWE-538
Low
ColdFusion administrator login page publicly available
-
CWE-200
Low
Nuxt.js Running in Development Mode
-
CWE-200
Low
WordPress admin accessible without HTTP authentication
-
CWE-16
Low
PHP display_errors Is Enabled
-
CWE-209
Low
PHP allow_url_include Is Enabled
-
CWE-829
Low
Arbitrary File Read on Nuxt.js Development Server
-
CWE-200
Low
Internet Information Server returns IP address in HTTP header (Content-Location)
-
CWE-200
Low
Passive Mixed Content over HTTPS
-
CWE-284
Low
Wing FTP Anonymous access
-
CWE-200
Low
FrontPage Identified
-
CWE-16
Low
Possible Database Name Disclosure
-
CWE-200
Low
WordPress default administrator account
-
CWE-16
Low
PHP open_basedir Is Not Configured
-
CWE-664
Low
Apache stronghold-status enabled
-
CWE-200
Low
Tomcat status page
-
CWE-200
Low
Unrestricted access to Prometheus
-
CWE-200
Low
ASP.NET debugging enabled
-
CWE-11
Low
PHP open_basedir is not set
-
CWE-664
Low
PHP allow_url_include enabled
-
CWE-829
Low
PHP allow_url_fopen Is Enabled
-
CWE-829
Low
Clickjacking: CSP frame-ancestors missing
-
CWE-1021
Low
ASP.NET ViewStateUserKey Is Not Set
-
CWE-642
Low
Session ID in URL
-
CWE-200
Low
Unrestricted access to Prometheus Metrics
-
CWE-200
Low
Unrestricted access to a monitoring system
-
CWE-200
Low
ColdFusion RDS Service enabled
-
CWE-200
Low
OData feed accessible anonymously
-
CWE-200
Low
Unrestricted access to ImageResizer Diagnotics plugin
-
CWE-200
Low
IIS Path disclosure
-
CWE-200
Low
Gitlab user disclosure
-
CWE-200
Low
Kentico Staging API publicly accessible
-
CWE-200
Low
H2 console publicly accessible
-
CWE-287
Low
Cookies with missing, inconsistent or contradictory properties
-
CWE-284
Low
Broken Link Hijacking
-
CWE-610
Low
Jenkins open people list
-
CWE-200
Low
Version Disclosure (IIS)
-
CWE-200
Low
Sensitive pages could be cached
-
CWE-200
Low
Insecure Transportation Security Protocol Supported (TLS 1.1)
-
CWE-326
Low
Cookies Not Marked as Secure
-
CWE-614
Low
Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed
-
CWE-16
Low
Error page path disclosure
-
CWE-200
Low
Apache stronghold-info enabled
-
CWE-200
Low
Cookies Not Marked as HttpOnly
-
CWE-1004
Low
Missing Content-Type Header
-
CWE-16
Low
Apache Solr endpoint
-
CWE-200
Low
Session cookies scoped to parent domain
-
CWE-284
Low
ASP.NET error message
-
CWE-12
Low
TRACK Method enabled
-
CWE-489
Low
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
-
CWE-16
Information
WebDAV Enabled
-
CWE-16
Information
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
-
CWE-16
Information
Reverse Proxy Detected
-
CWE-16
Information
Insecure Protocol Detected in Content Security Policy (CSP)
-
CWE-16
Information
Access-Control-Allow-Origin header with wildcard (*) value
-
CWE-284
Information
Web Application Firewall Detected
-
CWE-16
Information
Error page web server version disclosure
-
CWE-200
Information
HTTP Strict Transport Security (HSTS) Errors and Warnings
-
CWE-16
Information
Web server default welcome page
-
CWE-200
Information
Microsoft Frontpage configuration information
-
CWE-200
Information
Missing object-src in CSP Declaration
-
CWE-16
Information
Insecure Referrer Policy
-
CWE-16
Information
«
1
...
4
5
6
»
