This page collects WhisperX intelligence signals tagged #code vulnerability. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a single JavaScript file, posing a direct risk of client-side script injection. The flaw is classified under CWE-79 and OWASP A03:2021 - Injection, with an 80% confidence rating. The core issue is a direct, unescaped assignment of user ...
A GitHub Copilot security scan has flagged a potential SQL injection vulnerability in a Python database initialization script. The automated tool identified a direct string concatenation for an SQL query in the `bad/db_init.py` file, triggering a MEDIUM severity alert under the CWE-89 classification for improper neutra...
A critical security flaw has been identified in the codebase, exposing the application to cross-site scripting (XSS) attacks. The vulnerability originates in the `REVIEW_ME.tsx` component, which renders user-controlled ticket descriptions as raw HTML without sanitization. This allows any user with ticket creation privi...
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the webhook creation handler, allowing attackers to force the server to make HTTP requests to internal network addresses. The flaw is located in `internal/handlers/webhook.go` at lines 65-69, where the handler fails to validate the scheme or destinat...
A critical vulnerability in the Ergo blockchain platform's liquidity provider API allows malicious actors to manipulate displayed Annual Percentage Yield (APY) calculations. The `/api/lp/apy` endpoint, defined in `lp_routes.py`, fails to validate user-controlled query parameters `avg_bet_size` and `bets_per_block`. Thi...
A critical SQL injection vulnerability has been identified within the DEMS project's codebase, exposing a direct path for potential data manipulation or exfiltration. The flaw resides in the `saveInDataModelTable` function within the `src/builders/eventHistoryBuilder.ts` file. The function dangerously uses unsafe strin...
A critical Denial-of-Service (DoS) vulnerability was discovered in a Convex database function, where a malicious actor could trigger a massive bandwidth spike by submitting an arbitrarily large number to an unvalidated `limit` parameter. The flaw, located in the `questionsLibrary.ts` file, allowed an input like `limit:...
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified within the Policai Australian AI Policy Tracker's administrative API. The `/api/admin/analyse-url` endpoint performs a server-side `fetch()` on any user-supplied URL without validation, allowing authenticated attackers to probe internal inf...
A security review of the `ai_plugin.go` code has uncovered multiple critical vulnerabilities, with a prompt injection flaw posing the most immediate and severe risk. The plugin directly embeds user-controlled JSON data into AI prompts without any sanitization, creating a direct path for attackers to manipulate the AI's...
A Semgrep security scan has flagged three critical Cross-Site Scripting (XSS) vulnerabilities within a single PHP file, exposing a direct path for attackers to inject malicious scripts. The automated scan, triggered by a GitHub Actions workflow, detected that user-controlled data flows directly into an unsafe output si...
An AI-powered security scan has flagged a potentially dangerous command injection vulnerability in a PHP codebase, a finding that was notably missed by the conventional Semgrep static analysis tool. The issue centers on line 17 of the file `example-codes/index6.php`, where the code `echo $code;` directly outputs the co...
A GitHub AI security scan has flagged a high-severity vulnerability in a PHP codebase, centering on the dangerous use of unvalidated user input within the `curl_init` function. The automated detection highlights a critical security flaw where user-controlled variables are passed directly to the function, creating a pot...
A Semgrep security scan has flagged a critical Cross-Site Scripting (XSS) vulnerability in a PHP codebase, exposing a direct path for user-controlled data to reach an unsafe output sink without sanitization. The automated finding, generated by a GitHub Actions workflow, indicates a concrete security flaw where maliciou...
A critical SQL injection vulnerability has been eliminated from the Frappe Assistant Core project by removing a dormant but dangerous piece of code. The vulnerability resided in the `create_visualization.py` tool, which had been intentionally disabled but remained physically present on the system. This dead code posed ...
A critical SQL injection vulnerability in a production authentication system has been actively exploited, allowing attackers to bypass login security. The flaw, located in the `/login` endpoint, was detected through production log analysis, confirming that an attacker successfully authenticated as an administrative use...
A low-severity but critical compliance vulnerability has been identified in a production codebase, where user email addresses are being logged in plaintext. The exposure occurs within the authentication flow, specifically in the `src/app/actions/auth.ts` file. Every failed login attempt triggers a console warning that ...
A critical authentication vulnerability has been identified in two core API models, allowing attackers to potentially impersonate any user. The flaw stems from a dangerous design pattern where the API accepts both a cryptographically verified JWT token and a separate, client-submitted user ID parameter (`asf_uid`). Thi...
A critical security vulnerability has been exposed in a JWT authentication middleware, allowing attackers to bypass authentication entirely. The flaw resides in the `decodeToken` function within `packages/api/src/middleware/auth.middleware.ts`, which decodes and validates a JWT's payload but crucially fails to verify t...
A Semgrep security scan has uncovered critical Server-Side Request Forgery (SSRF) vulnerabilities in a PHP codebase, exposing internal services to potential attacker manipulation. The automated analysis identified two distinct instances where user-controlled input flows directly into network-fetching functions without ...
A high-severity security violation has been flagged within a major McKinsey & Company project. The JFrog Xray security scan for the 'agents-at-scale-ark' repository detected CVE-2026-39883, a vulnerability in the OpenTelemetry-Go library that could allow for PATH hijacking attacks on BSD and Solaris platforms. The find...