CWE mapping
Every Sekrd finding maps to industry-standard taxonomies: CWE (MITRE Common Weakness Enumeration), OWASP Top 10 2021, ASVS 4.0, and CVSS v3.1. This page is the canonical evidence for the Sekrd MITRE CWE Compatibility application.
Total rules
113
Distinct CWEs
44
OWASP 2021 cats
all 10
ASVS 4.0 reqs
105
How to use this page
- Auditors: search Ctrl-F for a CWE number to see which Sekrd rules fire on it. Every hit carries a stable rule ID you can deep-link to:
/rules/<rule_id>. - Procurement: confirm the scanner's taxonomy coverage vs. your internal CWE allow-list. Every rule carries a CVSS v3.1 base vector if you need to recompute environmental scores in your own calculator.
- Developers: click any rule ID to see its evidence, fix prompt, and authoritative references (OWASP cheat sheets, MDN, RFCs, vendor docs).
CWE-79— Cross-site Scripting (XSS)
5 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| csp-unsafe-inline CSP allows 'unsafe-inline' in script-src | A03:2021 — Injection | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
| jssecurity-inline-handlers Inline event handlers weaken CSP protection | A05:2021 — Security Misconfiguration | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-22 |
| js-innerhtml-dynamic | A03:2021 — Injection | V5.3.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2026-04-18 |
| js-document-write document.write() used — DOM manipulation risk | A03:2021 — Injection | V5.3.3 | — | 2026-04-18 |
| xss-reflected Reflected XSS | A03:2021 — Injection | V5.3.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | 2026-04-18 |
CWE-89— SQL Injection
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| sqli-error-based SQL injection (error-based) | A03:2021 — Injection | V5.3.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
CWE-95
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-eval-dynamic | A03:2021 — Injection | V5.3.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2026-04-17 |
| csp-unsafe-eval CSP allows 'unsafe-eval' | A03:2021 — Injection | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-116
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| missing-x-content-type-options Missing X-Content-Type-Options: nosniff | A05:2021 — Security Misconfiguration | V14.4.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-200— Exposure of Sensitive Information
8 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-internal-urls | A01:2021 — Broken Access Control | V14.3.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
| via-header-disclosed Proxy software disclosed in Via header | A05:2021 — Security Misconfiguration | V14.3.1 | — | 2026-04-18 |
| server-version-disclosed Server software version disclosed | A05:2021 — Security Misconfiguration | V14.3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
| network-influxdb-exposed InfluxDB admin port exposed | A01:2021 — Broken Access Control | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-20 |
| network-zookeeper-exposed ZooKeeper port exposed | A01:2021 — Broken Access Control | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-20 |
| network-prometheus-exposed Prometheus port exposed | A01:2021 — Broken Access Control | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-21 |
| secret-high-entropy High-entropy token detected | A02:2021 — Cryptographic Failures | V2.10.1 | — | 2026-04-18 |
| missing-referrer-policy Missing Referrer-Policy header | A01:2021 — Broken Access Control | V14.4.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-203
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| wordpress-user-enum WordPress user enumeration via REST API | A07:2021 — Identification and Authentication Failures | — | — | 2026-04-18 |
CWE-209— Generation of Error Message Containing Sensitive Information
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| error-page-leak Error page leaks implementation details | A05:2021 — Security Misconfiguration | V7.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-250— Execution with Unnecessary Privileges
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-root-user Container runs as root | A05:2021 — Security Misconfiguration | V14.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-19 |
| dockerfile-no-user Dockerfile has no USER directive | A05:2021 — Security Misconfiguration | V14.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-19 |
CWE-269— Improper Privilege Management
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-sudo Dockerfile invokes sudo | A05:2021 — Security Misconfiguration | V14.2.1 | — | 2026-04-19 |
CWE-284— Improper Access Control
23 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| firebase-rules-open | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-17 |
| firebase-rtdb-read-open Realtime Database allows public read access | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2026-04-18 |
| network-mssql-exposed Microsoft SQL Server port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-21 |
| network-couchdb-exposed CouchDB admin port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-kafka-exposed Kafka broker port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L | 2026-04-20 |
| network-mysql-exposed MySQL port exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| wordpress-rest-api-open WordPress REST API fully accessible | A01:2021 — Broken Access Control | — | — | 2026-04-18 |
| firebase-firestore-public Firestore collection publicly readable | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| network-solr-exposed Apache Solr admin port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-21 |
| network-docker-api-exposed Docker Engine API port exposed (unencrypted) | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-21 |
| network-consul-exposed HashiCorp Consul port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-21 |
| firebase-rtdb-public Firebase Realtime Database publicly readable | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| network-kibana-exposed Kibana port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-21 |
| firebase-rtdb-test-mode Realtime Database rules in test mode (allow all) | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
| network-postgresql-exposed PostgreSQL port exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| wordpress-login-exposed WordPress login page publicly accessible | A07:2021 — Identification and Authentication Failures | — | — | 2026-04-18 |
| supabase-rls-bypass | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-17 |
| firebase-storage-public Firebase Cloud Storage bucket publicly listable | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| network-rabbitmq-amqp-exposed RabbitMQ AMQP broker exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L | 2026-04-20 |
| network-rabbitmq-mgmt-exposed RabbitMQ management UI exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | 2026-04-20 |
| firebase-rtdb-write-open Realtime Database allows public write access | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H | 2026-04-18 |
| network-elasticsearch-exposed Elasticsearch HTTP API exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-20 |
| network-etcd-exposed etcd client port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-21 |
CWE-285— Improper Authorization
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| compliance-no-data-deletion | A01:2021 — Broken Access Control | V8.1.3 | — | 2026-04-18 |
CWE-287— Improper Authentication
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| supabase-phone-confirm-off Phone confirmation disabled | A07:2021 — Identification and Authentication Failures | V2.2.7 | — | 2026-04-18 |
| supabase-email-confirm-off Email confirmation disabled | A07:2021 — Identification and Authentication Failures | V2.2.7 | — | 2026-04-18 |
CWE-290
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| infra-no-spf No SPF record — email spoofing possible | A02:2021 — Cryptographic Failures | V14.2.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | 2026-04-18 |
| infra-no-dmarc No DMARC record — email spoofing not blocked | A02:2021 — Cryptographic Failures | V14.2.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | 2026-04-18 |
| dmarc-policy-none DMARC policy set to 'none' — not enforcing | A02:2021 — Cryptographic Failures | — | — | 2026-04-18 |
CWE-295
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| tls-cert-expired TLS certificate has expired | A02:2021 — Cryptographic Failures | V9.1.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| tls-cert-validation-failed TLS certificate validation failed | A02:2021 — Cryptographic Failures | V9.1.1 | — | 2026-04-18 |
CWE-306— Missing Authentication for Critical Function
7 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| network-cassandra-exposed Cassandra CQL native port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-21 |
| network-memcached-exposed Memcached port exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-kubelet-exposed Kubernetes kubelet port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-21 |
| unprotected-api-endpoint | A01:2021 — Broken Access Control | V1.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-17 |
| network-clickhouse-http-exposed ClickHouse HTTP port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-21 |
| network-redis-exposed Redis port exposed to the public internet | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-mongodb-exposed MongoDB port exposed to the public internet | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
CWE-307
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| wordpress-bruteforce-chain WordPress brute-force attack chain: admin username + exposed login | A07:2021 — Identification and Authentication Failures | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
| no-rate-limit No rate limiting on sensitive endpoint | A04:2021 — Insecure Design | V2.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2026-04-18 |
CWE-312— Cleartext Storage of Sensitive Information
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-pii-in-storage PII stored in browser storage | A02:2021 — Cryptographic Failures | V3.1.1 | — | 2026-04-18 |
CWE-319— Cleartext Transmission of Sensitive Information
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| site-not-https Site not using HTTPS | A02:2021 — Cryptographic Failures | V9.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| missing-hsts Missing Strict-Transport-Security (HSTS) header | A02:2021 — Cryptographic Failures | V9.1.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-17 |
| hsts-no-subdomains HSTS missing includeSubDomains directive | A02:2021 — Cryptographic Failures | V9.1.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-327
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| tls-1-1-supported Server supports TLS 1.1 — deprecated | A02:2021 — Cryptographic Failures | V9.1.3 | — | 2026-04-18 |
| tls-1-0-supported Server supports TLS 1.0 — deprecated and insecure | A02:2021 — Cryptographic Failures | V9.1.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-345— Insufficient Verification of Data Authenticity
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| payment-webhook-no-sig Payment webhook accepts unsigned requests | A08:2021 — Software and Data Integrity Failures | V10.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 2026-04-22 |
CWE-346— Origin Validation Error
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-postmessage-no-origin postMessage listener without origin validation | A01:2021 — Broken Access Control | V13.1.5 | — | 2026-04-18 |
CWE-352— Cross-Site Request Forgery (CSRF)
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| form-no-csrf | A01:2021 — Broken Access Control | V13.2.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-17 |
CWE-359— Exposure of Private Personal Information
4 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| compliance-no-cookie-consent | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
| compliance-no-cookie-policy No cookie policy page found | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
| compliance-no-privacy-policy | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
| compliance-tracker-no-consent Analytics tracker loaded without cookie consent | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
CWE-494
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-curl-pipe-bash Dockerfile pipes remote script into shell | A08:2021 — Software and Data Integrity Failures | V14.2.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-19 |
CWE-521— Weak Password Requirements
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| network-neo4j-exposed Neo4j Browser port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-20 |
CWE-538
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| env-file-exposed .env file publicly accessible | A05:2021 — Security Misconfiguration | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
CWE-540— Inclusion of Sensitive Information in Source Code
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-sourcemap-reference Source map reference found in JavaScript | A05:2021 — Security Misconfiguration | V14.3.2 | — | 2026-04-18 |
| js-sourcemap-exposed JavaScript source map exposed | A05:2021 — Security Misconfiguration | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-17 |
CWE-601— URL Redirection to Untrusted Site (Open Redirect)
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| open-redirect Open redirect | A01:2021 — Broken Access Control | V5.1.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2026-04-18 |
| open-redirect-js Open redirect (JavaScript) | A01:2021 — Broken Access Control | V5.1.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2026-04-18 |
CWE-602
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-clientside-role-check Role/permission check in client JavaScript — privilege escalation risk | A01:2021 — Broken Access Control | V1.4.1 | — | 2026-04-18 |
| js-clientside-auth-guard Client-side only auth guard detected — bypassable via dev tools | A01:2021 — Broken Access Control | V1.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-614— Sensitive Cookie Without Secure Attribute
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cookie-no-secure | A02:2021 — Cryptographic Failures | V3.4.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-17 |
CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| idor-sequential-id Potential IDOR via sequential IDs | A01:2021 — Broken Access Control | V4.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-18 |
CWE-693— Protection Mechanism Failure
5 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| missing-csp No Content-Security-Policy header | A05:2021 — Security Misconfiguration | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-17 |
| csp-no-object-src CSP missing object-src restriction | A05:2021 — Security Misconfiguration | V14.4.1 | — | 2026-04-18 |
| csp-broad-script-src CSP script-src allows overly broad sources | A05:2021 — Security Misconfiguration | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
| csp-report-only CSP is report-only, not enforced | A05:2021 — Security Misconfiguration | V14.4.1 | — | 2026-04-18 |
| missing-permissions-policy Missing Permissions-Policy header | A05:2021 — Security Misconfiguration | V14.4.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-754
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-no-healthcheck Dockerfile has no HEALTHCHECK | A04:2021 — Insecure Design | V1.14.3 | — | 2026-04-19 |
CWE-798— Use of Hard-coded Credentials
4 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| costexposure-public-key Public API key exposed — verify vendor restrictions | A02:2021 — Cryptographic Failures | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2026-04-22 |
| dockerfile-secret-in-env Secret baked into image via ENV/ARG | A02:2021 — Cryptographic Failures | V2.10.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-19 |
| secret-pattern-match Potential secret detected in client code | A02:2021 — Cryptographic Failures | V2.10.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-18 |
| stripe-live-secret-in-client Stripe live secret key exposed in client code | A02:2021 — Cryptographic Failures | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-17 |
CWE-799
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| exfil-chain Data exfiltration chain: exposed user data + no rate limiting | A04:2021 — Insecure Design | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-18 |
CWE-829— Inclusion of Functionality from Untrusted Control Sphere
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-add-remote-url Dockerfile uses ADD for remote URL | A08:2021 — Software and Data Integrity Failures | V14.2.3 | — | 2026-04-19 |
CWE-922— Insecure Storage of Sensitive Information
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-auth-token-localstorage Auth token stored in localStorage — XSS leads to account takeover | A02:2021 — Cryptographic Failures | V3.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N | 2026-04-18 |
CWE-942
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cors-reflected-origin CORS reflects arbitrary origin | A05:2021 — Security Misconfiguration | V14.5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
| cors-reflected-creds CORS reflects arbitrary origin with credentials | A05:2021 — Security Misconfiguration | V14.5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | 2026-04-18 |
| cors-wildcard-creds CORS wildcard with credentials | A05:2021 — Security Misconfiguration | V14.5.3 | — | 2026-04-18 |
CWE-1004
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cookie-no-httponly | A07:2021 — Identification and Authentication Failures | V3.4.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | 2026-04-17 |
CWE-1021— Improper Restriction of Rendered UI Layers or Frames
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| missing-corp Missing Cross-Origin-Resource-Policy header | A05:2021 — Security Misconfiguration | V14.4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
| missing-coop Missing Cross-Origin-Opener-Policy header | A05:2021 — Security Misconfiguration | V14.4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
| missing-xfo Missing X-Frame-Options header | A05:2021 — Security Misconfiguration | V14.4.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | 2026-04-17 |
CWE-1037
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-apt-no-recommends apt-get install without --no-install-recommends | A05:2021 — Security Misconfiguration | V14.2.5 | — | 2026-04-19 |
CWE-1104
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-no-tag Dockerfile base image has no explicit tag | A06:2021 — Vulnerable and Outdated Components | V14.2.5 | — | 2026-04-19 |
| dockerfile-latest-tag Dockerfile uses :latest tag | A06:2021 — Vulnerable and Outdated Components | V14.2.5 | — | 2026-04-19 |
CWE-1275— Sensitive Cookie with Improper SameSite Attribute
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cookie-no-samesite | A01:2021 — Broken Access Control | V3.4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-1395
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| vulnerable-dependency Vulnerable dependency | A06:2021 — Vulnerable and Outdated Components | V14.2.1 | — | 2026-04-18 |
(infra — no CWE)
2 rules
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| supabase-signup-disabled Public signup is disabled | N/A — configuration | — | — | 2026-04-18 |
| dast-scan-incomplete DAST scan incomplete | — | — | — | 2026-04-22 |
MITRE CWE Compatibility
The MITRE CWE Compatibility and Effectiveness Program recognizes products that meaningfully map their findings to CWEs. Sekrd meets the four official requirements:
- CWE Searchable — users can search findings by CWE number across /rules.
- CWE Output — every finding in every scan report (JSON, SARIF, PDF, CSV) carries a CWE field.
- CWE Mapping Accuracy — each mapping is based on authoritative references; the
TestCatalog_EveryEntryHasRequiredFieldsregression test blocks any rule without a CWE from merging. - CWE Documentation — this page, publicly linked, auto-generated from the rule catalog, grouped by CWE.
Application status: submitted — awaiting MITRE review. Once accepted we'll display the CWE-Compatible logo on the landing and link the official entry.