| 1 | Web Shell via PHP Object Injection | Critical | 9.8 | Full Remote Code Execution | Insecure Deserialization | Arbitrary file write & shell upload using serialized object |
| 2 | SQL Injection (UNION-based) | Critical | 9.0 | Full database dump (users, PII, credentials) | SQLi | Advanced exploitation with data exfiltration via crafted payloads |
| 3 | Exposed OTP in Password Reset Flow | Critical | 9.0 | Complete account takeover without user interaction | Logic Flaw | OTP shown directly to client in API response |
| 4 | OTP Brute-Force in Fund Transfer | Critical | 9.0 | Unauthorized fund transfer | Brute Force | No attempt limit, brute-force possible within seconds |
| 5 | Login Password Brute-Force | High | 7.5 | Easy credential stuffing or account compromise | Brute Force | No rate limiting, no lockout |
| 6 | JWT Weak Signature (Key Cracking) | High | 8.0 | JWT forgery → account impersonation | Auth Bypass | Signed with guessable weak key (rockyou-crackable) |
| 7 | IDOR – Account Detail Access | High | 8.0 | Access to all users’ PII and financial info | IDOR | Works at scale with enumeration scripts |
| 8 | XXE (Read /etc/passwd) | High | 7.5 | Arbitrary file read on server | XML External Entity | Exploits contact form XML parser |
| 9 | XSS via Profile Location Field | High | 7.4 | Token theft via DOM injection | Stored XSS | Token exfiltration shown using fetch(localStorage.userData) |
| 10 | Password Change without Verifying Old Password | High | 7.5 | Account lockout or takeover | Logic Flaw | Frontend asks for old pass, backend doesn’t check it |
| 11 | PII Stored in JWT Tokens | High | 7.0 | Privacy violation & passive token leak | Design Flaw | Full PII inside base64-encoded JWT stored client-side |
| 12 | User Enumeration via Forgot Password | Medium-High | 6.5 | Automated discovery of valid user IDs | Enumeration | Unique response reveals valid/invalid user existence |
| 13 | Exposed Debug/Dev Endpoints (phpinfo) | Medium | 6.5 | Information Disclosure → Stack, paths, configs | Misconfiguration | phpinfo and Dockerfile publicly accessible |