HackerSavannaVulnerability Rating Taxonomy
Baseline priority ratings for common vulnerabilities. Align on severity expectations, CWE mappings, and real-world impact.
The application has an alternate authentication path that does not properly enforce authentication, allowing unauthorized access.
The software writes more data to a buffer than it can hold, overwriting adjacent memory and potentially enabling code execution.
Untrusted data is evaluated as code by the application, allowing attackers to execute arbitrary code within the application context.
Untrusted input is passed to system shell commands without proper sanitization, enabling remote command execution on the server.
Untrusted data is deserialized by the application without validation, often leading to remote code execution or authentication bypass.
Memory is freed twice, corrupting the heap allocator and potentially enabling arbitrary code execution.
The application contains code that appears to be intentionally malicious, such as backdoors or trojans inserted by an insider or compromised dependency.
A buffer allocated on the heap is overflowed, corrupting adjacent heap metadata and potentially enabling arbitrary code execution.
The software does not prove or insufficiently proves that an actor claiming a given identity is actually that actor.
A general category for memory corruption issues where improper memory operations lead to crashes, information disclosure, or code execution.
Untrusted input is passed to operating system commands without proper sanitization, allowing remote execution of arbitrary system commands.
User passwords are stored in plaintext, allowing anyone with database access to read all credentials.
The application includes files from remote URLs based on user input, allowing attackers to execute arbitrary remote code.
The application contains code that replicates and spreads to other systems, such as viruses or worms.
Untrusted input is directly concatenated into SQL queries without parameterization, allowing attackers to read, modify, or delete database data.
A buffer allocated on the stack is overflowed, overwriting the return address and potentially enabling arbitrary code execution.
Passwords are stored using reversible encryption or encoding rather than one-way hashing, allowing recovery of plaintext passwords.
A resource is allocated as one type but later accessed as an incompatible type, leading to memory corruption or code execution.
Memory is accessed after it has been freed, potentially causing crashes, data corruption, or arbitrary code execution.
The software contains hard-coded credentials (passwords, API keys) that can be extracted by reverse engineering the application.
Cryptographic keys are embedded directly in source code or binaries, allowing extraction and decryption of protected data.
Passwords are hard-coded in the application source, allowing anyone with code access to discover them.
The software allows writing arbitrary data to arbitrary memory locations, typically leading to arbitrary code execution.
The software reads from a buffer using an index or pointer that references memory after the buffer boundary, potentially exposing sensitive data.
The software reads from a buffer using an index or pointer that references memory before the buffer start, potentially causing crashes or information leakage.
The software writes to a buffer using an index or pointer that references memory before the buffer start, potentially corrupting adjacent memory.
Sensitive data such as passwords or API keys are stored in plaintext, making them accessible to anyone with file system or database access.
Sensitive data is transmitted over unencrypted channels, allowing network attackers to intercept and read the information.
Untrusted input is persistently stored by the application and later rendered without sanitization, affecting all users who view the injected content.
The application loads DLLs from the current working directory before system paths, allowing attackers to execute malicious code via a planted DLL.
The application loads a malicious DLL from an attacker-controlled location due to improper search order or path validation.
The application exposes an API or function that is dangerous when called by untrusted actors, such as eval() or dangerous file operations.
Security-critical state information is stored in locations accessible to unauthorized actors, allowing session or authentication state tampering.
Malformed HTTP requests are interpreted inconsistently by proxies and origin servers, allowing attackers to smuggle hidden requests past security controls.
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
The software does not validate, or incorrectly validates, TLS/SSL certificates, enabling man-in-the-middle attacks.
The software does not correctly follow the certificate chain back to a trusted root, leading to trust of invalid certificates.
Strings are not properly null-terminated, causing buffer over-reads or memory corruption when string functions process the data.
The software does not properly assign, track, or modify user privileges, allowing privilege escalation or unauthorized access.
The software performs an authorization check but does not correctly enforce it, allowing attackers to bypass intended access restrictions.
The software calculates an incorrect buffer size, leading to buffer overflows or underflows when data is copied.
The application exposes direct references to internal objects (files, database records) without access control, allowing unauthorized access by modifying identifiers.
Authentication credentials are transmitted or stored using methods susceptible to interception, such as weak hashing or unencrypted channels.
An integer value is incremented beyond its maximum representable value, causing wrap-around to negative values and potential memory corruption.
An integer value is decremented below its minimum representable value, causing wrap-around to large positive values and potential memory corruption.
The software performs a cryptographic key exchange without verifying the identity of the other party, enabling man-in-the-middle attacks.
Untrusted input is incorporated into LDAP queries without proper sanitization, allowing attackers to modify query logic and access unauthorized directory data.
Debug or test code is left in production, creating unintended entry points such as admin interfaces, debug endpoints, or backdoors.
The product does not adequately verify the identity of communication endpoints or ensure channel integrity, allowing attackers to intercept or modify traffic.
Sensitive or critical information is stored or transmitted without encryption, leaving it exposed to unauthorized access.
A loop or buffer operation incorrectly calculates bounds by one, leading to buffer overflows or underflows.
The software reads data from memory outside the bounds of the intended buffer, potentially exposing sensitive information.
Passwords or secrets are hard-coded in configuration files that may be exposed to unauthorized users.
Untrusted input is used to construct file paths without proper sanitization, allowing attackers to access files outside the intended directory.
A variant of path traversal using encoded or double-encoded path sequences to bypass filters and access restricted files.
The software fails to prevent unauthorized access to private user data such as personal information, location, or communications.
The application uses relative paths from untrusted input without proper validation, allowing traversal outside the intended directory.
The application makes security decisions based on input that can be modified by untrusted actors, bypassing protection mechanisms.
The application loads resources (files, URLs, connections) based on untrusted input without proper validation, leading to unauthorized access or code execution.
Cryptographic nonces or key pairs are reused across operations, breaking the security guarantees of the encryption scheme.
The server makes requests to attacker-specified URLs, allowing access to internal services, metadata endpoints, or restricted networks.
Login credentials are transmitted without adequate protection (e.g., over HTTP instead of HTTPS), allowing network interception.
Password changes do not require knowledge of the original password or alternative authentication, allowing account takeover.
The application uses a format string containing user-controlled input, allowing memory reads, writes, or crashes.
The software uses functions that are inherently dangerous (e.g., gets(), strcpy()) and prone to buffer overflows or other vulnerabilities.
The password recovery mechanism uses weak verification (easily guessable questions, predictable tokens) allowing account takeover.
Integer wrap-around causes a buffer to be allocated with insufficient size, leading to subsequent buffer overflows.
The XML parser processes external entity references, allowing file disclosure, SSRF, or denial of service.
Untrusted input is inserted into XML documents without sanitization, allowing attackers to alter document structure and query logic.
The software allocates resources without imposing limits, allowing attackers to exhaust system resources and cause denial of service.
An array index is decremented below zero, causing out-of-bounds memory access that can lead to crashes or information disclosure.
Flaws in the design or implementation of business rules that allow attackers to manipulate application workflows for unintended gain or damage.
Security controls are implemented in client-side code (JavaScript, mobile apps) rather than on the server, allowing trivial bypass.
Multiple threads or processes access shared resources without proper locking, allowing attackers to exploit timing windows for unauthorized actions.
Untrusted input containing carriage return and line feed characters is passed into HTTP headers, enabling response splitting and header manipulation.
The application does not verify that state-changing requests were intentionally initiated by the user, allowing attackers to perform actions on behalf of victims.
Client-side JavaScript improperly handles untrusted data, allowing attacker-controlled scripts to execute in the victim browser without server interaction.
Untrusted data is rendered in a web page without proper encoding, allowing execution of attacker-supplied scripts in the victim browser.
Untrusted input from a request is immediately returned in the response without sanitization, executing attacker scripts when the victim visits a crafted URL.
The application does not properly restrict resource consumption, allowing attackers to exhaust CPU, memory, disk, or network capacity.
The application uses externally controlled names or references that resolve to resources outside the intended security boundary.
Special characters or elements are not properly sanitized before being processed in a different security context, leading to injection attacks.
The application does not adequately enforce authorization on restricted URLs, scripts, or files, allowing direct access to protected resources.
Untrusted input containing CRLF sequences is written to HTTP headers, allowing attackers to inject additional headers or split the response.
An Android component is exported to other applications without proper restrictions, allowing unauthorized access to app functionality or data.
The software does not handle compressed input with very high compression ratios, allowing denial of service through data amplification (zip bomb).
The application does not properly handle cases where it has insufficient privileges, potentially leaving it in an invalid or insecure state.
The software does not properly validate input before processing it, allowing malformed or malicious data to affect program behavior.
The software does not neutralize escape sequences in input, allowing attackers to inject control characters that alter intended behavior.
The application does not neutralize scripting syntax in HTTP headers that can be processed by browser plugins like Flash.
The application does not neutralize script-related HTML tags in web page content, enabling cross-site scripting attacks.
Sensitive data is encrypted using an encryption scheme that is not strong enough for the required level of protection.
The software uses an incomplete denylist to filter input, allowing attackers to use bypass techniques not covered by the list.
The software exposes sensitive information to actors who are not explicitly authorized to access it.
Sensitive information is transmitted to unauthorized actors through responses, notifications, or external service calls.
Sensitive information is stored without proper access controls, allowing unauthorized actors to read or modify it.
Session tokens or credentials remain valid longer than necessary, allowing attackers to reuse stolen or old session data for unauthorized access.
A required step in a cryptographic algorithm is omitted, resulting in weaker encryption than intended.
The software does not protect data that is assumed to be immutable, allowing attackers to modify it and affect application logic.
The application dereferences a NULL pointer, typically causing a crash or potentially exploitable denial of service.
The application accepts user-controlled input to specify a redirect destination, enabling phishing attacks by redirecting to attacker-controlled sites.
The application makes security decisions based on cookie values without validating or verifying their integrity, allowing tampering.
The product uses a hashing algorithm that produces values susceptible to reversal or efficient collision finding, weakening password storage.
The application authenticates users without invalidating existing session identifiers, allowing attackers to steal authenticated sessions.
The software checks the state of a resource before using it, but the state can change between the check and use, creating a exploitable window.
The software does not limit recursion depth, allowing attackers to cause stack exhaustion and denial of service.
The application searches for critical resources in paths that can be controlled by attackers, leading to execution of malicious code.
The software uses cryptographic algorithms known to be weak or broken (e.g., MD5, SHA-1 for signatures, DES), weakening security guarantees.
Cryptographic keys or passwords are used past their expiration date, increasing the window of opportunity for cracking attacks.
The product uses a non-cryptographic PRNG in a security context, making generated values predictable to attackers.
Random values used in security contexts are not sufficiently unpredictable, allowing attackers to guess or derive them.
The UI does not properly represent critical information, allowing phishing attacks where users are tricked by misleading displays.
Passwords are protected using weak cryptographic mechanisms that do not adequately resist brute force or dictionary attacks.
XML parsers allow recursive entity definitions without limit, enabling billion laughs attacks that exhaust memory and CPU.
The application does not implement sufficient rate limiting or account lockout mechanisms, making it susceptible to automated password guessing attacks.
Sensitive information is stored in files or directories accessible to actors outside the intended control sphere.
The software does not properly anticipate or handle exceptional conditions, allowing attackers to trigger unexpected behavior.
The software improperly handles percent-encoded URLs, allowing attackers to bypass filters or access unexpected resources.
The software compares two entities in a security-relevant context using an incorrect comparison, leading to authorization or logic flaws.
Error messages reveal sensitive information about the system, database schema, file paths, or internal logic to unauthorized users.
Debug information such as stack traces, variable values, or source code is exposed in production environments.
Directory listings are exposed, revealing file names, directory structures, and potentially sensitive files to attackers.
Observable differences in application behavior (error messages, timing, responses) reveal sensitive information about internal state.
Timing differences in application responses reveal sensitive information, such as whether a username exists or a query matched.
Temporary files are created with predictable names, insecure permissions, or in shared directories, allowing information disclosure or race conditions.
The software performs reverse DNS lookups and makes security decisions based on the result, which can be spoofed by attackers.
The software relies on secrecy of design or implementation details as the primary security mechanism, rather than robust controls.
The application trusts externally generated system events (location, timestamps, etc.) without verification, allowing spoofing.
Error conditions are ignored or not properly handled, allowing attackers to induce unexpected behavior without detection.
The web application does not set appropriate cache-control headers, causing sensitive pages to be stored in the browser cache.
The product violates well-established secure design principles, such as least privilege, defense in depth, or fail securely.