2

Findings

Track and manage security vulnerabilities across all your pentests.

TitleProjectStatus
Critical

Hard-coded service-account secret in repository

Open
Apr 23, 2026
Critical

Authentication bypass via JWT none-algorithm acceptance

Open
Apr 26, 2026
High

SQL injection via raw query in admin search

Open
Apr 23, 2026
High

Server-side request forgery in webhook delivery

Open
Apr 23, 2026
High

Missing authorisation on order export endpoint

Open
Apr 23, 2026
High

Stored XSS in customer notes (admin view)

Open
Apr 26, 2026
High

IDOR on order export — cross-tenant read

Open
Apr 26, 2026
Medium

Missing Rate Limiting on API Endpoints

Open
Feb 16, 2026
Medium

View Count Inflation via Header Manipulation

Open
Feb 16, 2026
Medium

Incomplete Account Deletion

Open
Feb 16, 2026
Medium

API Cost Abuse in Session Publishing

Open
Feb 16, 2026
Medium

XML Injection in Markdown Export

Open
Feb 16, 2026
Medium

Open Redirect in OAuth Flow

Open
Feb 16, 2026
Medium

Insecure JWT signing key derived from env defaults

Open
Apr 23, 2026
Medium

XSS via unescaped customer notes in admin UI

Open
Apr 23, 2026
Medium

Cryptographic operation uses MD5 for password reset tokens

Open
Apr 23, 2026
Medium

Misconfigured CORS allows any origin with credentials

Open
Apr 23, 2026
Medium

Open redirect on post-login URL parameter

Open
Apr 26, 2026
Medium

Sensitive endpoint reachable without authentication

Open
Apr 26, 2026
Medium

Missing rate limit on login endpoint

Open
Apr 26, 2026
Low

Access Token Exposed in URL Query String

Open
Feb 16, 2026
Low

Sensitive Data Exposure in Error Logs

Open
Feb 16, 2026
Low

Plaintext Token Persistence in CLI Auth

Open
Feb 16, 2026
Low

Undisclosed Third-Party Data Sharing

Open
Feb 16, 2026
Low

Missing Clickjacking Protection

Open
Feb 16, 2026
Low

Verbose error responses leak stack traces in production

Open
Apr 23, 2026
Low

Secrets logged in payment retry handler

Open
Apr 23, 2026
Low

Missing rate limit on password reset request endpoint

Open
Apr 23, 2026
Low

Verbose 500 errors leak Django stack traces

Open
Apr 26, 2026
Low

Cookie set without `HttpOnly` / `Secure` flags

Open
Apr 26, 2026
Info

Broken Authentication in CLI Poll Flow

Open
Feb 16, 2026
Info

Repository contains stale test fixtures with real customer data

Open
Apr 23, 2026
Show
Page 1 of 1
DEMO