Technical severity | VRT category | Specific vulnerability name | Variant / Affected function |
---|---|---|---|
P1 | Server Security Misconfiguration | Using Default Credentials | |
P1 | Server-Side Injection | File Inclusion | Local |
P1 | Server-Side Injection | Remote Code Execution (RCE) | |
P1 | Server-Side Injection | SQL Injection | |
P1 | Server-Side Injection | XML External Entity Injection (XXE) | |
P1 | Broken Authentication and Session Management | Authentication Bypass | |
P1 | Sensitive Data Exposure | Disclosure of Secrets | For Publicly Accessible Asset |
P1 | Insecure OS/Firmware | Command Injection | |
P1 | Insecure OS/Firmware | Hardcoded Password | Privileged User |
P1 | Broken Cryptography | Cryptographic Flaw | Incorrect Usage |
P1 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | PII Leakage |
P1 | Automotive Security Misconfiguration | RF Hub | Key Fob Cloning |
P2 | Server Security Misconfiguration | Misconfigured DNS | High Impact Subdomain Takeover |
P2 | Server Security Misconfiguration | OAuth Misconfiguration | Account Takeover |
P2 | Sensitive Data Exposure | Weak Password Reset Implementation | Token Leakage via Host Header Poisoning |
P2 | Cross-Site Scripting (XSS) | Stored | Non-Privileged User to Anyone |
P2 | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) | Internal High Impact |
P2 | Cross-Site Request Forgery (CSRF) | Application-Wide | |
P2 | Application-Level Denial-of-Service (DoS) | Critical Impact and/or Easy Difficulty | |
P2 | Insecure OS/Firmware | Hardcoded Password | Non-Privileged User |
P2 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | OTA Firmware Manipulation |
P2 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | Code Execution (CAN Bus Pivot) |
P2 | Automotive Security Misconfiguration | RF Hub | CAN Injection / Interaction |
P3 | Server Security Misconfiguration | Misconfigured DNS | Basic Subdomain Takeover |
P3 | Server Security Misconfiguration | Mail Server Misconfiguration | No Spoofing Protection on Email Domain |
P3 | Server-Side Injection | HTTP Response Manipulation | Response Splitting (CRLF) |
P3 | Server-Side Injection | Content Spoofing | iframe Injection |
P3 | Broken Authentication and Session Management | Second Factor Authentication (2FA) Bypass | |
P3 | Broken Authentication and Session Management | Session Fixation | Remote Attack Vector |
P3 | Sensitive Data Exposure | Disclosure of Secrets | For Internal Asset |
P3 | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images | Automatic User Enumeration |
P3 | Cross-Site Scripting (XSS) | Stored | Privileged User to Privilege Elevation |
P3 | Cross-Site Scripting (XSS) | Stored | CSRF/URL-Based |
P3 | Cross-Site Scripting (XSS) | Reflected | Non-Self |
P3 | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) | Internal Scan and/or Medium Impact |
P3 | Application-Level Denial-of-Service (DoS) | High Impact and/or Medium Difficulty | |
P3 | Client-Side Injection | Binary Planting | Default Folder Privilege Escalation |
P3 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | Code Execution (No CAN Bus Pivot) |
P3 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | Unauthorized Access to Services (API / Endpoints) |
P3 | Automotive Security Misconfiguration | RF Hub | Data Leakage / Pull Encryption Mechanism |
P3 | Automotive Security Misconfiguration | CAN | Injection (Battery Management System) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Steering Control) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Pyrotechnical Device Deployment Tool) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Headlights) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Sensors) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Vehicle Anti-theft Systems) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Powertrain) |
P3 | Automotive Security Misconfiguration | CAN | Injection (Basic Safety Message) |
P3 | Automotive Security Misconfiguration | Battery Management System | Firmware Dump |
P3 | Automotive Security Misconfiguration | Immobilizer | Engine Start |
P3 | Automotive Security Misconfiguration | Automatic Braking System (ABS) | Unintended Acceleration / Brake |
P4 | Server Security Misconfiguration | Misconfigured DNS | Zone Transfer |
P4 | Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain |
P4 | Server Security Misconfiguration | Database Management System (DBMS) Misconfiguration | Excessively Privileged User / DBA |
P4 | Server Security Misconfiguration | Lack of Password Confirmation | Delete Account |
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Registration |
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Login |
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Email-Triggering |
P4 | Server Security Misconfiguration | No Rate Limiting on Form | SMS-Triggering |
P4 | Server Security Misconfiguration | Missing Secure or HTTPOnly Cookie Flag | Session Token |
P4 | Server Security Misconfiguration | Clickjacking | Sensitive Click-Based Action |
P4 | Server Security Misconfiguration | OAuth Misconfiguration | Account Squatting |
P4 | Server Security Misconfiguration | CAPTCHA | Implementation Vulnerability |
P4 | Server Security Misconfiguration | Lack of Security Headers | Cache-Control for a Sensitive Page |
P4 | Server Security Misconfiguration | Web Application Firewall (WAF) Bypass | Direct Server Access |
P4 | Server-Side Injection | Content Spoofing | Impersonation via Broken Link Hijacking |
P4 | Server-Side Injection | Content Spoofing | External Authentication Injection |
P4 | Server-Side Injection | Content Spoofing | Email HTML Injection |
P4 | Server-Side Injection | Server-Side Template Injection (SSTI) | Basic |
P4 | Broken Authentication and Session Management | Cleartext Transmission of Session Token | |
P4 | Broken Authentication and Session Management | Weak Login Function | Other Plaintext Protocol with no Secure Alternative |
P4 | Broken Authentication and Session Management | Weak Login Function | Over HTTP |
P4 | Broken Authentication and Session Management | Failure to Invalidate Session | On Logout (Client and Server-Side) |
P4 | Broken Authentication and Session Management | Failure to Invalidate Session | On Password Reset and/or Change |
P4 | Broken Authentication and Session Management | Weak Registration Implementation | Over HTTP |
P4 | Sensitive Data Exposure | Disclosure of Secrets | Pay-Per-Use Abuse |
P4 | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images | Manual User Enumeration |
P4 | Sensitive Data Exposure | Visible Detailed Error/Debug Page | Detailed Server Configuration |
P4 | Sensitive Data Exposure | Token Leakage via Referer | Untrusted 3rd Party |
P4 | Sensitive Data Exposure | Token Leakage via Referer | Over HTTP |
P4 | Sensitive Data Exposure | Sensitive Token in URL | User Facing |
P4 | Sensitive Data Exposure | Weak Password Reset Implementation | Password Reset Token Sent Over HTTP |
P4 | Sensitive Data Exposure | Via localStorage/sessionStorage | Sensitive Token |
P4 | Cross-Site Scripting (XSS) | Stored | Privileged User to No Privilege Elevation |
P4 | Cross-Site Scripting (XSS) | IE-Only | IE11 |
P4 | Cross-Site Scripting (XSS) | Referer | |
P4 | Cross-Site Scripting (XSS) | Universal (UXSS) | |
P4 | Cross-Site Scripting (XSS) | Off-Domain | Data URI |
P4 | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) | External |
P4 | Broken Access Control (BAC) | Username/Email Enumeration | Non-Brute Force |
P4 | Unvalidated Redirects and Forwards | Open Redirect | GET-Based |
P4 | Insufficient Security Configurability | No Password Policy | |
P4 | Insufficient Security Configurability | Weak Password Reset Implementation | Token is Not Invalidated After Use |
P4 | Insufficient Security Configurability | Weak 2FA Implementation | 2FA Secret Cannot be Rotated |
P4 | Insufficient Security Configurability | Weak 2FA Implementation | 2FA Secret Remains Obtainable After 2FA is Enabled |
P4 | Insecure Data Storage | Sensitive Application Data Stored Unencrypted | On External Storage |
P4 | Insecure Data Storage | Server-Side Credentials Storage | Plaintext |
P4 | Insecure Data Transport | Executable Download | No Secure Integrity Check |
P4 | Privacy Concerns | Unnecessary Data Collection | WiFi SSID+Password |
P4 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | Source Code Dump |
P4 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | Denial of Service (DoS / Brick) |
P4 | Automotive Security Misconfiguration | Infotainment, Radio Head Unit | Default Credentials |
P4 | Automotive Security Misconfiguration | RF Hub | Unauthorized Access / Turn On |
P4 | Automotive Security Misconfiguration | CAN | Injection (Disallowed Messages) |
P4 | Automotive Security Misconfiguration | CAN | Injection (DoS) |
P4 | Automotive Security Misconfiguration | Battery Management System | Fraudulent Interface |
P4 | Automotive Security Misconfiguration | GNSS / GPS | Spoofing |
P4 | Automotive Security Misconfiguration | Roadside Unit (RSU) | Sybil Attack |
P5 | Server Security Misconfiguration | Directory Listing Enabled | Non-Sensitive Data Exposure |
P5 | Server Security Misconfiguration | Same-Site Scripting | |
P5 | Server Security Misconfiguration | Misconfigured DNS | Missing Certification Authority Authorization (CAA) Record |
P5 | Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofing to Spam Folder |
P5 | Server Security Misconfiguration | Mail Server Misconfiguration | Missing or Misconfigured SPF and/or DKIM |
P5 | Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofing on Non-Email Domain |
P5 | Server Security Misconfiguration | Lack of Password Confirmation | Change Email Address |
P5 | Server Security Misconfiguration | Lack of Password Confirmation | Change Password |
P5 | Server Security Misconfiguration | Lack of Password Confirmation | Manage 2FA |
P5 | Server Security Misconfiguration | No Rate Limiting on Form | Change Password |
P5 | Server Security Misconfiguration | Unsafe File Upload | No Antivirus |
P5 | Server Security Misconfiguration | Unsafe File Upload | No Size Limit |
P5 | Server Security Misconfiguration | Unsafe File Upload | File Extension Filter Bypass |
P5 | Server Security Misconfiguration | Cookie Scoped to Parent Domain | |
P5 | Server Security Misconfiguration | Missing Secure or HTTPOnly Cookie Flag | Non-Session Cookie |
P5 | Server Security Misconfiguration | Clickjacking | Form Input |
P5 | Server Security Misconfiguration | Clickjacking | Non-Sensitive Action |
P5 | Server Security Misconfiguration | CAPTCHA | Brute Force |
P5 | Server Security Misconfiguration | CAPTCHA | Missing |
P5 | Server Security Misconfiguration | Exposed Admin Portal | To Internet |
P5 | Server Security Misconfiguration | Missing DNSSEC | |
P5 | Server Security Misconfiguration | Fingerprinting/Banner Disclosure | |
P5 | Server Security Misconfiguration | Username/Email Enumeration | Brute Force |
P5 | Server Security Misconfiguration | Potentially Unsafe HTTP Method Enabled | OPTIONS |
P5 | Server Security Misconfiguration | Potentially Unsafe HTTP Method Enabled | TRACE |
P5 | Server Security Misconfiguration | Insecure SSL | Lack of Forward Secrecy |
P5 | Server Security Misconfiguration | Insecure SSL | Insecure Cipher Suite |
P5 | Server Security Misconfiguration | Insecure SSL | Certificate Error |
P5 | Server Security Misconfiguration | Reflected File Download (RFD) | |
P5 | Server Security Misconfiguration | Lack of Security Headers | X-Frame-Options |
P5 | Server Security Misconfiguration | Lack of Security Headers | Cache-Control for a Non-Sensitive Page |
P5 | Server Security Misconfiguration | Lack of Security Headers | X-XSS-Protection |
P5 | Server Security Misconfiguration | Lack of Security Headers | Strict-Transport-Security |
P5 | Server Security Misconfiguration | Lack of Security Headers | X-Content-Type-Options |
P5 | Server Security Misconfiguration | Lack of Security Headers | Content-Security-Policy |
P5 | Server Security Misconfiguration | Lack of Security Headers | Public-Key-Pins |
P5 | Server Security Misconfiguration | Lack of Security Headers | X-Content-Security-Policy |
P5 | Server Security Misconfiguration | Lack of Security Headers | X-Webkit-CSP |
P5 | Server Security Misconfiguration | Lack of Security Headers | Content-Security-Policy-Report-Only |
P5 | Server Security Misconfiguration | Bitsquatting | |
P5 | Server-Side Injection | Parameter Pollution | Social Media Sharing Buttons |
P5 | Server-Side Injection | Content Spoofing | Flash Based External Authentication Injection |
P5 | Server-Side Injection | Content Spoofing | Email Hyperlink Injection Based on Email Provider |
P5 | Server-Side Injection | Content Spoofing | Text Injection |
P5 | Server-Side Injection | Content Spoofing | Homograph/IDN-Based |
P5 | Server-Side Injection | Content Spoofing | Right-to-Left Override (RTLO) |
P5 | Broken Authentication and Session Management | Weak Login Function | Not Operational or Intended Public Access |
P5 | Broken Authentication and Session Management | Session Fixation | Local Attack Vector |
P5 | Broken Authentication and Session Management | Failure to Invalidate Session | On Logout (Server-Side Only) |
P5 | Broken Authentication and Session Management | Failure to Invalidate Session | Concurrent Sessions On Logout |
P5 | Broken Authentication and Session Management | Failure to Invalidate Session | On Email Change |
P5 | Broken Authentication and Session Management | Failure to Invalidate Session | On 2FA Activation/Change |
P5 | Broken Authentication and Session Management | Failure to Invalidate Session | Long Timeout |
P5 | Broken Authentication and Session Management | Concurrent Logins | |
P5 | Sensitive Data Exposure | Disclosure of Secrets | Intentionally Public, Sample or Invalid |
P5 | Sensitive Data Exposure | Disclosure of Secrets | Data/Traffic Spam |
P5 | Sensitive Data Exposure | Disclosure of Secrets | Non-Corporate User |
P5 | Sensitive Data Exposure | Visible Detailed Error/Debug Page | Full Path Disclosure |
P5 | Sensitive Data Exposure | Visible Detailed Error/Debug Page | Descriptive Stack Trace |
P5 | Sensitive Data Exposure | Disclosure of Known Public Information | |
P5 | Sensitive Data Exposure | Token Leakage via Referer | Trusted 3rd Party |
P5 | Sensitive Data Exposure | Sensitive Token in URL | In the Background |
P5 | Sensitive Data Exposure | Sensitive Token in URL | On Password Reset |
P5 | Sensitive Data Exposure | Non-Sensitive Token in URL | |
P5 | Sensitive Data Exposure | Mixed Content (HTTPS Sourcing HTTP) | |
P5 | Sensitive Data Exposure | Sensitive Data Hardcoded | OAuth Secret |
P5 | Sensitive Data Exposure | Sensitive Data Hardcoded | File Paths |
P5 | Sensitive Data Exposure | Internal IP Disclosure | |
P5 | Sensitive Data Exposure | JSON Hijacking | |
P5 | Sensitive Data Exposure | Via localStorage/sessionStorage | Non-Sensitive Token |
P5 | Cross-Site Scripting (XSS) | Stored | Self |
P5 | Cross-Site Scripting (XSS) | Reflected | Self |
P5 | Cross-Site Scripting (XSS) | Flash-Based | |
P5 | Cross-Site Scripting (XSS) | Cookie-Based | |
P5 | Cross-Site Scripting (XSS) | IE-Only | XSS Filter Disabled |
P5 | Cross-Site Scripting (XSS) | IE-Only | Older Version (< IE11) |
P5 | Cross-Site Scripting (XSS) | TRACE Method | |
P5 | Broken Access Control (BAC) | Server-Side Request Forgery (SSRF) | DNS Query Only |
P5 | Cross-Site Request Forgery (CSRF) | Action-Specific | Logout |
P5 | Cross-Site Request Forgery (CSRF) | CSRF Token Not Unique Per Request | |
P5 | Cross-Site Request Forgery (CSRF) | Flash-Based | |
P5 | Application-Level Denial-of-Service (DoS) | App Crash | Malformed Android Intents |
P5 | Application-Level Denial-of-Service (DoS) | App Crash | Malformed iOS URL Schemes |
P5 | Unvalidated Redirects and Forwards | Open Redirect | POST-Based |
P5 | Unvalidated Redirects and Forwards | Open Redirect | Header-Based |
P5 | Unvalidated Redirects and Forwards | Open Redirect | Flash-Based |
P5 | Unvalidated Redirects and Forwards | Tabnabbing | |
P5 | Unvalidated Redirects and Forwards | Lack of Security Speed Bump Page | |
P5 | External Behavior | Browser Feature | Plaintext Password Field |
P5 | External Behavior | Browser Feature | Save Password |
P5 | External Behavior | Browser Feature | Autocomplete Enabled |
P5 | External Behavior | Browser Feature | Autocorrect Enabled |
P5 | External Behavior | Browser Feature | Aggressive Offline Caching |
P5 | External Behavior | CSV Injection | |
P5 | External Behavior | Captcha Bypass | Crowdsourcing |
P5 | External Behavior | System Clipboard Leak | Shared Links |
P5 | External Behavior | User Password Persisted in Memory | |
P5 | Insufficient Security Configurability | Weak Password Policy | |
P5 | Insufficient Security Configurability | Password Policy Bypass | |
P5 | Insufficient Security Configurability | Weak Password Reset Implementation | Token is Not Invalidated After Email Change |
P5 | Insufficient Security Configurability | Weak Password Reset Implementation | Token is Not Invalidated After Password Change |
P5 | Insufficient Security Configurability | Weak Password Reset Implementation | Token Has Long Timed Expiry |
P5 | Insufficient Security Configurability | Weak Password Reset Implementation | Token is Not Invalidated After New Token is Requested |
P5 | Insufficient Security Configurability | Weak Password Reset Implementation | Token is Not Invalidated After Login |
P5 | Insufficient Security Configurability | Verification of Contact Method not Required | |
P5 | Insufficient Security Configurability | Lack of Notification Email | |
P5 | Insufficient Security Configurability | Weak Registration Implementation | Allows Disposable Email Addresses |
P5 | Insufficient Security Configurability | Weak 2FA Implementation | Missing Failsafe |
P5 | Insufficient Security Configurability | Weak 2FA Implementation | 2FA Code is Not Updated After New Code is Requested |
P5 | Insufficient Security Configurability | Weak 2FA Implementation | Old 2FA Code is Not Invalidated After New Code is Generated |
P5 | Using Components with Known Vulnerabilities | Rosetta Flash | |
P5 | Using Components with Known Vulnerabilities | Outdated Software Version | |
P5 | Using Components with Known Vulnerabilities | Captcha Bypass | OCR (Optical Character Recognition) |
P5 | Insecure Data Storage | Sensitive Application Data Stored Unencrypted | On Internal Storage |
P5 | Insecure Data Storage | Non-Sensitive Application Data Stored Unencrypted | |
P5 | Insecure Data Storage | Screen Caching Enabled | |
P5 | Lack of Binary Hardening | Lack of Exploit Mitigations | |
P5 | Lack of Binary Hardening | Lack of Jailbreak Detection | |
P5 | Lack of Binary Hardening | Lack of Obfuscation | |
P5 | Lack of Binary Hardening | Runtime Instrumentation-Based | |
P5 | Insecure Data Transport | Executable Download | Secure Integrity Check |
P5 | Network Security Misconfiguration | Telnet Enabled | |
P5 | Mobile Security Misconfiguration | SSL Certificate Pinning | Absent |
P5 | Mobile Security Misconfiguration | SSL Certificate Pinning | Defeatable |
P5 | Mobile Security Misconfiguration | Tapjacking | |
P5 | Mobile Security Misconfiguration | Clipboard Enabled | |
P5 | Mobile Security Misconfiguration | Auto Backup Allowed by Default | |
P5 | Client-Side Injection | Binary Planting | Non-Default Folder Privilege Escalation |
P5 | Client-Side Injection | Binary Planting | No Privilege Escalation |
P5 | Automotive Security Misconfiguration | RF Hub | Roll Jam |
P5 | Automotive Security Misconfiguration | RF Hub | Replay |
P5 | Automotive Security Misconfiguration | RF Hub | Relay |
Varies | Server Security Misconfiguration | Unsafe Cross-Origin Resource Sharing | |
Varies | Server Security Misconfiguration | Path Traversal | |
Varies | Server Security Misconfiguration | Directory Listing Enabled | Sensitive Data Exposure |
Varies | Server Security Misconfiguration | SSL Attack (BREACH, POODLE etc.) | |
Varies | Server Security Misconfiguration | OAuth Misconfiguration | Missing/Broken State Parameter |
Varies | Server Security Misconfiguration | OAuth Misconfiguration | Insecure Redirect URI |
Varies | Server Security Misconfiguration | Race Condition | |
Varies | Server Security Misconfiguration | Cache Poisoning | |
Varies | Server-Side Injection | Server-Side Template Injection (SSTI) | Custom |
Varies | Broken Authentication and Session Management | Privilege Escalation | |
Varies | Sensitive Data Exposure | Cross Site Script Inclusion (XSSI) | |
Varies | Broken Access Control (BAC) | Insecure Direct Object References (IDOR) | |
Varies | Broken Access Control (BAC) | Exposed Sensitive Android Intent | |
Varies | Broken Access Control (BAC) | Exposed Sensitive iOS URL Scheme | |
Varies | Cross-Site Request Forgery (CSRF) | Action-Specific | Authenticated Action |
Varies | Cross-Site Request Forgery (CSRF) | Action-Specific | Unauthenticated Action |
Varies | Insecure Data Transport | Cleartext Transmission of Sensitive Data | |
Varies | Indicators of Compromise |
Products
Generative Discovery
Harness advanced AI to predict intent, boost conversions, and eliminate search abandonment.
Site Search
Help shoppers find what they’re looking for faster with hyper-relevant on-site search results.
Merchandising
Ecommerce site merchandising that puts the right products in front of shoppers—while putting you in control.
Personalization
Influence every interaction with individualized recommendations based on past behavior and activity.
Reporting & Insight
Unlock the power of your own data with analytics designed to help you optimize your site experience.
Predictive Product Bundling
Instantly boost your average order value with intelligent suggestions based on each customers’ interests.
Data Feed Management
Optimize product data for 1,400+ channels to boost ecommerce sales.
Marketplace Management
Effortlessly manage inventory and sales across multiple ecommerce marketplaces.
Multichannel Ecommerce
Expand your ecommerce reach with Searchspring's multichannel solutions.
Featured

Black Friday 2025 HQ
Your ultimate resource for Black Friday 2025 ecommerce strategies, insights, tools, and actionable content—all in one place.
Go To HQ
Resources
Industry
All Industries
Topic
All Topics
Featured Resource

Black Friday 2025 HQ
Your ultimate resource for Black Friday 2025 ecommerce strategies, insights, tools, and actionable content—all in one place.
Go To HQ