This page collects WhisperX intelligence signals tagged #web application security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A security vulnerability has been identified in the backend server configuration, where the Content Security Policy (CSP) is weakened by the inclusion of `'unsafe-inline'` for style sources. This insecure setting, found in the `backend/src/server.js` file, creates a potential attack vector by permitting inline styles. ...
A critical stored cross-site scripting (XSS) vulnerability has been identified in the EmpCloud API, allowing attackers to inject and persistently store malicious JavaScript code within the platform's policy management system. The flaw resides in the `POST /api/v1/policies` endpoint, which accepts and stores raw HTML an...
A critical security flaw in EmpCloud's API allows attackers to inject and store malicious JavaScript code directly into the platform's announcement system. The vulnerability, a classic Cross-Site Scripting (XSS) issue, was discovered in the `POST /api/v1/announcements` endpoint. During testing, raw HTML and JavaScript ...
A scheduled security scan has flagged a high-severity vulnerability in the OWASP Juice Shop project, a widely used web application security training platform. The automated CodeQL analysis identified a Polynomial Regular Expression Denial of Service (ReDoS) flaw within the `profileImageUrlUpload` route. With a CVSS sco...
A critical security oversight in a task management system allows attackers to bypass HTML sanitization and inject cross-site scripting (XSS) payloads. The vulnerability stems from an inconsistent implementation of security controls: while the `TaskService.createTask()` function properly sanitizes user input for task ti...
An automated security scan has flagged a critical path injection vulnerability within the Juice Shop application's codebase. The CodeQL analysis, triggered on March 8, 2026, identified a high-severity flaw (CVSS 7.5) where user-provided data is used without proper validation in a path expression. This uncontrolled data...
A critical security review of a codebase reveals a high-severity Cross-Site Scripting (XSS) vulnerability stemming from a lack of protocol validation for user-entered URLs. The flaw allows attackers to inject and execute arbitrary JavaScript code via `javascript:` links, posing a direct threat to user data and session ...
A critical security gap has been identified in a Next.js application, exposing it to multiple web-based attacks due to the complete absence of essential security headers. The vulnerability, rated MEDIUM (CVSS 5.0), is located in the `next.config.ts` file and leaves the application unprotected against cross-site scripti...
A high-severity reflected cross-site scripting (XSS) vulnerability has been confirmed in a staging environment, allowing attackers to inject and execute arbitrary JavaScript code. The flaw resides in a web application where the value of the `lang` request parameter is copied directly into the HTML document as plain tex...
A critical security vulnerability has been automatically flagged in the codebase of the Juice Shop project. The automated scan identified a 'type confusion through parameter tampering' flaw in the `routes/search.ts` file, specifically at line 22. This high-severity finding indicates that an HTTP request parameter in th...
A scanning project targeting 6,000 web applications has uncovered a widespread security failure: 1,542 servers processed forged Stripe webhook events without verifying the signature header. Researchers sent minimal fake `checkout.session.completed` events to common webhook endpoints without any `Stripe-Signature` heade...