| User input concatenated into SQL query | SQL injection | Use parameterised queries or prepared statements |
innerHTML, dangerouslySetInnerHTML, or v-html used | XSS vulnerability | Use framework auto-escaping; sanitise with DOMPurify/bleach |
| Hardcoded password, API key, or token in source | Leaked secret | Move to secrets manager; add pre-commit scanning |
eval(), exec(), or Function() with user input | Code injection | Remove eval; use safe alternatives |
| Password stored as plaintext or with MD5/SHA1 | Weak credential storage | Use bcrypt, scrypt, or Argon2id |
| CSRF protection disabled or missing | Cross-site request forgery | Enable framework CSRF middleware; add anti-CSRF tokens |
| Missing authorisation check on endpoint | Broken access control | Add authorisation middleware; check on every request |
shell=True or os.system() with user input | Command injection | Use subprocess with argument list; avoid shell execution |
| Sensitive data in log output | Information leakage | Mask or redact before logging |
.env file committed to repository | Secret exposure | Add to .gitignore; rotate exposed secrets |
| HTTP used instead of HTTPS | Man-in-the-middle risk | Enforce TLS everywhere |
| JWT signature not verified | Authentication bypass | Always verify signature, issuer, audience, and expiry |
| XML parser with external entities enabled | XXE attack | Disable external entity processing; prefer JSON |
| Missing rate limiting on login/auth endpoints | Brute-force vulnerability | Add rate limiting; implement account lockout |
Wildcard CORS (Access-Control-Allow-Origin: *) | Overly permissive CORS | Restrict to specific allowed origins |
| Debug mode or verbose errors enabled in production | Information disclosure | Disable debug mode; return generic error messages |
| File path constructed from user input without validation | Path traversal | Canonicalise and validate against a safe base directory |
| Deserialisation of untrusted data | Remote code execution | Avoid deserialising untrusted input; use safe formats (JSON) |
Missing HttpOnly/Secure flags on session cookies | Session hijacking | Set HttpOnly, Secure, and SameSite on all auth cookies |