🚀 Just released:
Latio 2026 Application Security Market Report.
Read it in our Whitepapers.
100% Signal 0% Noise
Platform
Invicti Platform
Zero-noise AppSec platform
Scan Code
Secure code before runtime
SAST
Early static security analysis
Open Source (SCA)
Find vulnerable dependencies
SBOM & License Risk
Generate SBOMs and track licenses
Secrets
Detect exposed secrets in applications
Infrastructure as Code
Ingest IaC security findings
Container
Track container image vulnerabilities
Test Runtime
Test live applications like attackers
DAST & AI DAST
Test runtime, prove exploitability
Agentic Pentesting
Automate real-world attack techniques
API Security Testing
Discover and test APIs
Attack Surface Management
Identify exposed apps and endpoints
Cloud AppSec
Get a single-pane view of cloud app risk
AI AppSec
Scan smarter, accelerate remediation
Manage Vulnerabilities
See, prioritize, reduce AppSec risk
Vulnerability Management (ASPM)
Centralize and correlate AppSec findings
Compliance & Executive Reporting
Measure risk and impact
Threat Intelligence
Reachability, exploitability, and business logic
Solutions
API Discovery
Manage Vulnerabilities
Automate Security Workflows
Track AppSec KPIs
Manage Open Source Risk
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Careers
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Invicti Learn
Savings Calculator
Live Training
Partners
Documentation
Get a demo
Home
/
Web Application Vulnerabilities
/ Configuration
Web Application Vulnerabilities
Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise
Acunetix Standard & Premium
v.26.4.2314
Configuration
This page lists
405 vulnerabilities
in this category.
Critical: 4
High: 127
Medium: 173
Low: 51
Information: 50
Vulnerability Name
CVE
CWE
Severity
Apache JServ protocol service
-
CWE-200
Medium
ASP.NET diagnostic page
-
CWE-200
Medium
Mojolicious weak secret key
-
CWE-693
Medium
Flask weak secret key
-
CWE-693
Medium
PHP allow_url_include enabled
-
CWE-829
Low
Cookies Not Marked as HttpOnly
-
CWE-1004
Low
Cookies Not Marked as Secure
-
CWE-614
Low
Nuxt.js Running in Development Mode
-
CWE-200
Low
Sensitive pages could be cached
-
CWE-200
Low
Passive Mixed Content over HTTPS
-
CWE-1428
Low
TRACE Method enabled
-
CWE-489
Low
PHP open_basedir is not set
-
CWE-664
Low
Arbitrary File Read on Nuxt.js Development Server
-
CWE-200
Low
Missing Content-Type Header
-
CWE-358
Low
Possible Database Name Disclosure
-
CWE-200
Low
Internet Information Server returns IP address in HTTP header (Content-Location)
-
CWE-200
Low
ColdFusion administrator login page publicly available
-
CWE-200
Low
FrontPage Identified
-
CWE-200
Low
TRACK Method enabled
-
CWE-489
Low
Wing FTP Anonymous access
-
CWE-200
Low
ASP.NET ViewStateUserKey Is Not Set
-
CWE-642
Low
PHP allow_url_fopen Is Enabled
-
CWE-829
Low
ASP.NET debugging enabled
-
CWE-11
Low
Version Disclosure (IIS)
-
CWE-200
Low
Symfony ESI (Edge-Side Includes) enabled
-
CWE-200
Low
Clickjacking: CSP frame-ancestors missing
-
CWE-1021
Low
Apache stronghold-info enabled
-
CWE-200
Low
Apache stronghold-status enabled
-
CWE-200
Low
Error page path disclosure
-
CWE-200
Low
Insecure Transportation Security Protocol Supported (TLS 1.1)
-
CWE-326
Low
Cookies with missing, inconsistent or contradictory properties
-
CWE-732
Low
ColdFusion RDS Service enabled
-
CWE-200
Low
H2 console publicly accessible
-
CWE-287
Low
ASP.NET error message
-
CWE-12
Low
Gitlab user disclosure
-
CWE-200
Low
Unrestricted access to ImageResizer Diagnotics plugin
-
CWE-200
Low
OData feed accessible anonymously
-
CWE-200
Low
Unrestricted access to a monitoring system
-
CWE-200
Low
Unrestricted access to Prometheus
-
CWE-200
Low
Session cookies scoped to parent domain
-
CWE-358
Low
Unrestricted access to Prometheus Metrics
-
CWE-200
Low
Apache Solr endpoint
-
CWE-200
Low
Broken Link Hijacking
-
CWE-610
Low
Tomcat status page
-
CWE-200
Low
Jenkins open people list
-
CWE-200
Low
PHP open_basedir Is Not Configured
-
CWE-664
Low
PHP display_errors Is Enabled
-
CWE-209
Low
PHP allow_url_include Is Enabled
-
CWE-829
Low
Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed
-
CWE-749
Low
IIS Path disclosure
-
CWE-200
Low
Session ID in URL
-
CWE-200
Low
WordPress default administrator account
-
-
Low
Apache mod_negotiation filename bruteforcing
-
CWE-538
Low
WordPress admin accessible without HTTP authentication
-
-
Low
Kentico Staging API publicly accessible
-
CWE-200
Low
Access-Control-Allow-Origin header with wildcard (*) value
-
CWE-942
Information
Reverse Proxy Detected
-
-
Information
Express express-session weak secret key
-
CWE-693
Information
Cross-Origin Opener Policy (COOP) Needs Improvements
-
CWE-1022
Information
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
-
CWE-358
Information
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
-
CWE-358
Information
.htaccess File Detected
-
CWE-529
Information
Cross-Origin-Embedder-Policy (COEP) needs improvements
-
CWE-359
Information
Cross-Origin Opener Policy (COOP) Syntax Error
-
CWE-1022
Information
Web server default welcome page
-
CWE-200
Information
WebDAV Enabled
-
CWE-749
Information
Cross-Origin-Embedder-Policy (COEP) Not Implemented
-
CWE-359
Information
HTTP Strict Transport Security (HSTS) Errors and Warnings
-
CWE-319
Information
X-Content-Type-Options (XCTO) Not Implemented
-
-
Information
Cookies with Secure flag set over insecure connection
-
CWE-614
Information
Insecure Referrer Policy
-
CWE-200
Information
Scheme URI Detected in Content Security Policy (CSP) Directive
-
CWE-942
Information
Insecure Protocol Detected in Content Security Policy (CSP)
-
CWE-942
Information
Content Security Policy (CSP) Contains Out of Scope report-uri Domain
-
CWE-358
Information
Missing object-src in CSP Declaration
-
CWE-942
Information
«
1
...
4
5
6
»
