Security Vulnerability Database

Learn why Stripe API keys in source code are critical vulnerabilities. See real examples and how to fix exposed Stripe secret keys in your codebase.

Discover how exposed .env files leak database passwords, API keys, and secrets. Learn to secure your .env files from public access and git commits.

GitHub personal access tokens in source code let attackers access private repos and push malicious code. Learn how to detect and fix token leaks.

Hardcoded database passwords give attackers direct access to your data. Learn why this happens and how to properly manage database credentials.

Exposed AWS access keys let attackers take over your cloud account. Learn how to detect leaked AWS keys and secure your credentials properly.

A hardcoded JWT secret lets attackers forge authentication tokens and impersonate users. Learn how to secure JWT signing keys properly.

Exposed Firebase service account keys give attackers full admin access to your project. Learn how to detect and fix this critical vulnerability.

Hardcoded encryption keys make your encryption useless. Learn how to properly manage encryption keys using environment variables and KMS.

Exposed Slack webhook URLs let attackers post phishing messages to your channels. Learn how to secure Slack webhooks and prevent abuse.

SSH private keys in git repos give attackers direct server access. Learn how to detect exposed SSH keys and secure your deployment process.

Learn why setting Access-Control-Allow-Origin to * is dangerous, how attackers exploit permissive CORS policies, and how to configure a secure origin allowlist.

Discover why a missing Content Security Policy header leaves your app open to XSS attacks and how to build a robust CSP for Next.js and Express applications.

Learn which HTTP security headers your app needs, why missing them is risky, and how to add X-Frame-Options, HSTS, and more in Next.js and Express.

Understand how open redirect vulnerabilities enable phishing attacks, learn to identify unsafe redirect patterns, and implement proper URL validation in your app.

Learn how clickjacking attacks work, why missing X-Frame-Options headers are dangerous, and how to protect your app with frame-ancestors and CSP directives.

Learn why missing HTTP-to-HTTPS redirects expose your users to man-in-the-middle attacks and how to configure proper redirects with HSTS.

Understand why missing Secure, HttpOnly, and SameSite cookie flags are dangerous and learn how to configure cookies correctly in Next.js and Express.

Learn why publicly accessible source maps in production reveal your entire frontend codebase and how to disable or restrict them in Next.js and Webpack.

Understand how CSRF attacks exploit cookie-based authentication, learn the synchronizer token pattern, and implement CSRF protection in Next.js APIs.

Learn how missing Subresource Integrity hashes on CDN scripts expose your app to supply chain attacks and how to generate and maintain SRI hashes.

Learn why public AWS S3 buckets cause data breaches and how to lock them down with Block Public Access, IAM policies, and automated auditing.

Wildcard IAM policies grant full AWS account access. Learn how to audit, scope, and lock down IAM roles using least privilege principles.

Mounting docker.sock in containers grants host root access. Learn secure alternatives like socket proxies, rootless Docker, and Kaniko.

Public admin panels let attackers control your application. Learn to secure them with VPNs, authentication, IP restrictions, and network segmentation.

Debug mode in production leaks source code, secrets, and database details. Learn how to disable it and use safe configuration defaults.

APIs without rate limiting are vulnerable to brute-force, scraping, and DDoS attacks. Learn to implement rate limits with Express and nginx.

An accessible .git folder lets attackers download your full repo, including secrets. Learn to block it with nginx rules and secure deployments.

GraphQL introspection exposes your entire API schema to attackers. Learn to disable it in production and add field-level authorization.

Detailed error messages reveal stack traces, queries, and file paths. Learn to implement safe error handling with logging and correlation IDs.

Unauthenticated MongoDB instances are targeted by ransomware bots. Learn to enable auth, bind to localhost, and secure your database.

Learn how SQL injection attacks work, see vulnerable and fixed code examples, and discover best practices for preventing SQLi in your applications.

Understand how XSS attacks work, explore real-world vulnerable code patterns, and learn how to prevent cross-site scripting in modern web apps.

Learn how OS command injection attacks exploit shell execution in Node.js apps, and discover secure alternatives to prevent arbitrary command execution.

Understand server-side request forgery, learn how attackers reach internal services through your app, and implement defenses to block SSRF.

Learn how path traversal attacks escape upload directories, read sensitive files, and how to validate file paths to prevent directory traversal.

Understand JavaScript prototype pollution, how attackers exploit deep merge functions, and learn safe coding patterns to prevent prototype chain attacks.

Learn how insecure deserialization enables remote code execution, see examples in Python and Node.js, and discover how to safely handle serialized data.

Discover how server-side template injection works, learn to detect SSTI in Flask and Express apps, and implement fixes to prevent template-based RCE.

Learn how XXE attacks exploit XML parsers to read files and perform SSRF, and discover how to configure your parser securely to prevent XXE.

Learn how NoSQL injection attacks bypass MongoDB authentication, see real exploit payloads, and implement input validation to secure your queries.

Learn how missing authentication on API endpoints exposes data, and discover patterns for enforcing auth on every route by default.

Understand how IDOR attacks let users access other users' data by changing IDs, and learn how to implement proper authorization checks.

Understand why MD5 and SHA1 are unsafe for passwords, see GPU cracking speeds, and learn to migrate to bcrypt or Argon2 for proper password security.

Learn how session fixation attacks hijack user sessions, why session regeneration is critical, and how to secure your session management.

Discover common OAuth 2.0 misconfigurations, learn why the state parameter matters, and implement secure token handling in your authentication flow.

Learn why default passwords are one of the most exploited vulnerabilities, and implement deployment checks to ensure credentials are always changed.

Learn why server-side input validation is essential, see how missing validation enables attacks, and implement schema-based validation with Zod.

Learn how unrestricted file uploads enable web shell attacks and remote code execution, and implement content validation to secure file handling.

Learn how broken access control lets regular users reach admin features, and implement role-based authorization to enforce least privilege.

Learn how insecure password reset flows enable account takeover, and implement secure token generation, expiration, and validation patterns.