Leaderboard

CVE and 1-day SAST rule packs maintained by Provally from validated vulnerability analysis artifacts.

Public SAST rules indexed from GitLab security-products/sast-rules with original source and license metadata.

LaTeX (latex/pdflatex/xelatex/lualatex) is being invoked with the `-shell-escape` flag. This flag enables LaTeX's `\write18{...}` and `\input{|"cmd"}` shell-execution primitives, which pass their arguments directly to /bin/sh. If the .tex document being compiled contains any untrusted input (e.g., HTTP request body, user-uploaded file, database field), this

ReDoS (Regular Expression Denial of Service): Using /^\s*/ or /\s*$/ in String.replace() can cause catastrophic backtracking when processing strings with many whitespace characters followed by a non-whitespace character (CVE-2021-3749). The \s* zero-or-more quantifier combined with start/end anchors forces the regex engine into O(N^2) backtracking on adversa

A printf-family function (swprintf_s/swprintf/sprintf_s/sprintf/snprintf/_snwprintf_s) is called with the destination buffer passed both as the output and as its own %s source, followed by a single attacker-influenced argument (e.g. `swprintf_s(buf, L"%s /run {%s}", buf, user_input)`). This is an unbounded self-concatenation into a fixed-size buffer with ove

jsonpickle decode()/Unpickler() is defined or invoked with safe=False, enabling the legacy py/repr deserialization path that calls eval() on attacker-controlled JSON content. A JSON payload like {"py/repr": "os/os.system('id')"} achieves remote code execution. Change the default to safe=True (patched behavior) or pass safe=True explicitly at call sites.

The CodeIgniter `db->order_by()` is being called with a value passed through `db->escape()`. `CI_DB::escape()` is a value-escaping helper that wraps strings in single quotes for SQL literal contexts; it does NOT sanitise SQL identifier contexts like ORDER BY. An attacker controlling the value (typically via a `sort` query parameter) can inject SQL fragments

Passing the result of $DB->escape() (a value escaper that wraps strings as SQL string literals) to $DB->order_by() does not sanitize SQL identifiers. When the argument is user-controlled, this allows ORDER BY SQL injection (commas, function calls, sub-selects, time-based payloads). Use an identifier-quoting/whitelisting helper such as quote_order_by() or res

Passing user-controlled input to CodeIgniter's $db->order_by() after only running it through $db->escape() does not sanitize SQL identifiers. escape() quotes string literals but does not constrain ORDER BY column tokens, allowing an attacker to inject arbitrary SQL (subqueries, CASE/IF expressions, UNION fragments, boolean payloads) into the ORDER BY clause.

The value passed to CodeIgniter's `$db->order_by(...)` is sanitized with `$db->escape(...)`, which only quotes string-literal values for use in WHERE clauses. It does NOT sanitize SQL identifiers or strip ORDER BY syntax (subqueries, CASE expressions, UNION ordering tricks, etc.). Attacker-controlled `sort` / `order_by` parameters can therefore inject SQL in

PHP MIME-type blocklist maps PHP variants (e.g., 'php7:*' => 'text/x-php') but omits 'php8:*' and/or 'php9:*'. Uploaded files with a .php8 / .php9 extension will not be reclassified as text/x-php and may bypass the PHP-handler blocklist, leading to Remote Code Execution on servers that execute these extensions as PHP (CVE-2023-52044, CWE-434).

The uploadFile() method declares a rename/sanitize flag parameter (e.g., $renameFile) that defaults to false. Callers that don't explicitly pass true will keep the attacker-controlled client filename verbatim, including dangerous extensions like .php. This enables Unrestricted File Upload (CWE-434) leading to RCE when files land under a web-served directory.