CWE mapping
Every Sekrd finding maps to industry-standard taxonomies: CWE (MITRE Common Weakness Enumeration), OWASP Top 10 2021, ASVS 4.0, and CVSS v3.1. This page is the canonical evidence for the Sekrd MITRE CWE Compatibility application.
Total rules
113
Distinct CWEs
44
OWASP 2021 cats
all 10
ASVS 4.0 reqs
105
How to use this page
- Auditors: search Ctrl-F for a CWE number to see which Sekrd rules fire on it. Every hit carries a stable rule ID you can deep-link to:
/rules/<rule_id>. - Procurement: confirm the scanner's taxonomy coverage vs. your internal CWE allow-list. Every rule carries a CVSS v3.1 base vector if you need to recompute environmental scores in your own calculator.
- Developers: click any rule ID to see its evidence, fix prompt, and authoritative references (OWASP cheat sheets, MDN, RFCs, vendor docs).
CWE-79— Cross-site Scripting (XSS)
5 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| xss-reflected Reflected XSS | A03:2021 — Injection | V5.3.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | 2026-04-18 |
| csp-unsafe-inline CSP allows 'unsafe-inline' in script-src | A03:2021 — Injection | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
| js-innerhtml-dynamic | A03:2021 — Injection | V5.3.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2026-04-18 |
| js-document-write document.write() used — DOM manipulation risk | A03:2021 — Injection | V5.3.3 | — | 2026-04-18 |
| jssecurity-inline-handlers Inline event handlers weaken CSP protection | A05:2021 — Security Misconfiguration | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-22 |
CWE-89— SQL Injection
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| sqli-error-based SQL injection (error-based) | A03:2021 — Injection | V5.3.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
CWE-95
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-eval-dynamic | A03:2021 — Injection | V5.3.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2026-04-17 |
| csp-unsafe-eval CSP allows 'unsafe-eval' | A03:2021 — Injection | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-116
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| missing-x-content-type-options Missing X-Content-Type-Options: nosniff | A05:2021 — Security Misconfiguration | V14.4.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-200— Exposure of Sensitive Information
8 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| server-version-disclosed Server software version disclosed | A05:2021 — Security Misconfiguration | V14.3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
| via-header-disclosed Proxy software disclosed in Via header | A05:2021 — Security Misconfiguration | V14.3.1 | — | 2026-04-18 |
| js-internal-urls | A01:2021 — Broken Access Control | V14.3.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
| missing-referrer-policy Missing Referrer-Policy header | A01:2021 — Broken Access Control | V14.4.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
| secret-high-entropy High-entropy token detected | A02:2021 — Cryptographic Failures | V2.10.1 | — | 2026-04-18 |
| network-prometheus-exposed Prometheus port exposed | A01:2021 — Broken Access Control | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-21 |
| network-zookeeper-exposed ZooKeeper port exposed | A01:2021 — Broken Access Control | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-20 |
| network-influxdb-exposed InfluxDB admin port exposed | A01:2021 — Broken Access Control | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-20 |
CWE-203
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| wordpress-user-enum WordPress user enumeration via REST API | A07:2021 — Identification and Authentication Failures | — | — | 2026-04-18 |
CWE-209— Generation of Error Message Containing Sensitive Information
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| error-page-leak Error page leaks implementation details | A05:2021 — Security Misconfiguration | V7.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-250— Execution with Unnecessary Privileges
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-no-user Dockerfile has no USER directive | A05:2021 — Security Misconfiguration | V14.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-19 |
| dockerfile-root-user Container runs as root | A05:2021 — Security Misconfiguration | V14.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-19 |
CWE-269— Improper Privilege Management
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-sudo Dockerfile invokes sudo | A05:2021 — Security Misconfiguration | V14.2.1 | — | 2026-04-19 |
CWE-284— Improper Access Control
23 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| wordpress-login-exposed WordPress login page publicly accessible | A07:2021 — Identification and Authentication Failures | — | — | 2026-04-18 |
| network-elasticsearch-exposed Elasticsearch HTTP API exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-20 |
| firebase-firestore-public Firestore collection publicly readable | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| network-etcd-exposed etcd client port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-21 |
| wordpress-rest-api-open WordPress REST API fully accessible | A01:2021 — Broken Access Control | — | — | 2026-04-18 |
| firebase-rtdb-public Firebase Realtime Database publicly readable | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| network-rabbitmq-amqp-exposed RabbitMQ AMQP broker exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L | 2026-04-20 |
| network-kibana-exposed Kibana port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-21 |
| firebase-rtdb-write-open Realtime Database allows public write access | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H | 2026-04-18 |
| firebase-rules-open | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-17 |
| network-mssql-exposed Microsoft SQL Server port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-21 |
| network-consul-exposed HashiCorp Consul port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-21 |
| firebase-rtdb-test-mode Realtime Database rules in test mode (allow all) | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
| network-kafka-exposed Kafka broker port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L | 2026-04-20 |
| firebase-rtdb-read-open Realtime Database allows public read access | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2026-04-18 |
| network-postgresql-exposed PostgreSQL port exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-couchdb-exposed CouchDB admin port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-mysql-exposed MySQL port exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| firebase-storage-public Firebase Cloud Storage bucket publicly listable | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
| network-rabbitmq-mgmt-exposed RabbitMQ management UI exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | 2026-04-20 |
| network-solr-exposed Apache Solr admin port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-21 |
| network-docker-api-exposed Docker Engine API port exposed (unencrypted) | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-21 |
| supabase-rls-bypass | A01:2021 — Broken Access Control | V4.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-17 |
CWE-285— Improper Authorization
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| compliance-no-data-deletion | A01:2021 — Broken Access Control | V8.1.3 | — | 2026-04-18 |
CWE-287— Improper Authentication
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| supabase-phone-confirm-off Phone confirmation disabled | A07:2021 — Identification and Authentication Failures | V2.2.7 | — | 2026-04-18 |
| supabase-email-confirm-off Email confirmation disabled | A07:2021 — Identification and Authentication Failures | V2.2.7 | — | 2026-04-18 |
CWE-290
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| infra-no-spf No SPF record — email spoofing possible | A02:2021 — Cryptographic Failures | V14.2.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | 2026-04-18 |
| dmarc-policy-none DMARC policy set to 'none' — not enforcing | A02:2021 — Cryptographic Failures | — | — | 2026-04-18 |
| infra-no-dmarc No DMARC record — email spoofing not blocked | A02:2021 — Cryptographic Failures | V14.2.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | 2026-04-18 |
CWE-295
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| tls-cert-validation-failed TLS certificate validation failed | A02:2021 — Cryptographic Failures | V9.1.1 | — | 2026-04-18 |
| tls-cert-expired TLS certificate has expired | A02:2021 — Cryptographic Failures | V9.1.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
CWE-306— Missing Authentication for Critical Function
7 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| network-kubelet-exposed Kubernetes kubelet port exposed | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2026-04-21 |
| network-cassandra-exposed Cassandra CQL native port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-21 |
| unprotected-api-endpoint | A01:2021 — Broken Access Control | V1.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-17 |
| network-redis-exposed Redis port exposed to the public internet | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-mongodb-exposed MongoDB port exposed to the public internet | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-memcached-exposed Memcached port exposed to the public internet | A05:2021 — Security Misconfiguration | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-20 |
| network-clickhouse-http-exposed ClickHouse HTTP port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-21 |
CWE-307
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| wordpress-bruteforce-chain WordPress brute-force attack chain: admin username + exposed login | A07:2021 — Identification and Authentication Failures | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
| no-rate-limit No rate limiting on sensitive endpoint | A04:2021 — Insecure Design | V2.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2026-04-18 |
CWE-312— Cleartext Storage of Sensitive Information
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-pii-in-storage PII stored in browser storage | A02:2021 — Cryptographic Failures | V3.1.1 | — | 2026-04-18 |
CWE-319— Cleartext Transmission of Sensitive Information
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| missing-hsts Missing Strict-Transport-Security (HSTS) header | A02:2021 — Cryptographic Failures | V9.1.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-17 |
| hsts-no-subdomains HSTS missing includeSubDomains directive | A02:2021 — Cryptographic Failures | V9.1.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-18 |
| site-not-https Site not using HTTPS | A02:2021 — Cryptographic Failures | V9.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2026-04-18 |
CWE-327
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| tls-1-1-supported Server supports TLS 1.1 — deprecated | A02:2021 — Cryptographic Failures | V9.1.3 | — | 2026-04-18 |
| tls-1-0-supported Server supports TLS 1.0 — deprecated and insecure | A02:2021 — Cryptographic Failures | V9.1.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-345— Insufficient Verification of Data Authenticity
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| payment-webhook-no-sig Payment webhook accepts unsigned requests | A08:2021 — Software and Data Integrity Failures | V10.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 2026-04-22 |
CWE-346— Origin Validation Error
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-postmessage-no-origin postMessage listener without origin validation | A01:2021 — Broken Access Control | V13.1.5 | — | 2026-04-18 |
CWE-352— Cross-Site Request Forgery (CSRF)
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| form-no-csrf | A01:2021 — Broken Access Control | V13.2.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-17 |
CWE-359— Exposure of Private Personal Information
4 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| compliance-no-cookie-consent | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
| compliance-tracker-no-consent Analytics tracker loaded without cookie consent | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
| compliance-no-privacy-policy | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
| compliance-no-cookie-policy No cookie policy page found | A04:2021 — Insecure Design | V8.1.1 | — | 2026-04-18 |
CWE-494
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-curl-pipe-bash Dockerfile pipes remote script into shell | A08:2021 — Software and Data Integrity Failures | V14.2.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-19 |
CWE-521— Weak Password Requirements
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| network-neo4j-exposed Neo4j Browser port exposed | A07:2021 — Identification and Authentication Failures | V1.14.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 2026-04-20 |
CWE-538
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| env-file-exposed .env file publicly accessible | A05:2021 — Security Misconfiguration | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-18 |
CWE-540— Inclusion of Sensitive Information in Source Code
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-sourcemap-exposed JavaScript source map exposed | A05:2021 — Security Misconfiguration | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-17 |
| js-sourcemap-reference Source map reference found in JavaScript | A05:2021 — Security Misconfiguration | V14.3.2 | — | 2026-04-18 |
CWE-601— URL Redirection to Untrusted Site (Open Redirect)
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| open-redirect Open redirect | A01:2021 — Broken Access Control | V5.1.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2026-04-18 |
| open-redirect-js Open redirect (JavaScript) | A01:2021 — Broken Access Control | V5.1.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2026-04-18 |
CWE-602
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-clientside-role-check Role/permission check in client JavaScript — privilege escalation risk | A01:2021 — Broken Access Control | V1.4.1 | — | 2026-04-18 |
| js-clientside-auth-guard Client-side only auth guard detected — bypassable via dev tools | A01:2021 — Broken Access Control | V1.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-614— Sensitive Cookie Without Secure Attribute
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cookie-no-secure | A02:2021 — Cryptographic Failures | V3.4.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-17 |
CWE-639— Authorization Bypass Through User-Controlled Key (IDOR)
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| idor-sequential-id Potential IDOR via sequential IDs | A01:2021 — Broken Access Control | V4.2.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-18 |
CWE-693— Protection Mechanism Failure
5 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| csp-report-only CSP is report-only, not enforced | A05:2021 — Security Misconfiguration | V14.4.1 | — | 2026-04-18 |
| csp-no-object-src CSP missing object-src restriction | A05:2021 — Security Misconfiguration | V14.4.1 | — | 2026-04-18 |
| missing-csp No Content-Security-Policy header | A05:2021 — Security Misconfiguration | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-17 |
| missing-permissions-policy Missing Permissions-Policy header | A05:2021 — Security Misconfiguration | V14.4.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
| csp-broad-script-src CSP script-src allows overly broad sources | A05:2021 — Security Misconfiguration | V14.4.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-754
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-no-healthcheck Dockerfile has no HEALTHCHECK | A04:2021 — Insecure Design | V1.14.3 | — | 2026-04-19 |
CWE-798— Use of Hard-coded Credentials
4 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| stripe-live-secret-in-client Stripe live secret key exposed in client code | A02:2021 — Cryptographic Failures | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-17 |
| secret-pattern-match Potential secret detected in client code | A02:2021 — Cryptographic Failures | V2.10.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-18 |
| dockerfile-secret-in-env Secret baked into image via ENV/ARG | A02:2021 — Cryptographic Failures | V2.10.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2026-04-19 |
| costexposure-public-key Public API key exposed — verify vendor restrictions | A02:2021 — Cryptographic Failures | V14.3.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2026-04-22 |
CWE-799
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| exfil-chain Data exfiltration chain: exposed user data + no rate limiting | A04:2021 — Insecure Design | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 2026-04-18 |
CWE-829— Inclusion of Functionality from Untrusted Control Sphere
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-add-remote-url Dockerfile uses ADD for remote URL | A08:2021 — Software and Data Integrity Failures | V14.2.3 | — | 2026-04-19 |
CWE-922— Insecure Storage of Sensitive Information
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| js-auth-token-localstorage Auth token stored in localStorage — XSS leads to account takeover | A02:2021 — Cryptographic Failures | V3.1.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N | 2026-04-18 |
CWE-942
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cors-wildcard-creds CORS wildcard with credentials | A05:2021 — Security Misconfiguration | V14.5.3 | — | 2026-04-18 |
| cors-reflected-creds CORS reflects arbitrary origin with credentials | A05:2021 — Security Misconfiguration | V14.5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | 2026-04-18 |
| cors-reflected-origin CORS reflects arbitrary origin | A05:2021 — Security Misconfiguration | V14.5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-1004
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cookie-no-httponly | A07:2021 — Identification and Authentication Failures | V3.4.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | 2026-04-17 |
CWE-1021— Improper Restriction of Rendered UI Layers or Frames
3 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| missing-coop Missing Cross-Origin-Opener-Policy header | A05:2021 — Security Misconfiguration | V14.4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | 2026-04-18 |
| missing-xfo Missing X-Frame-Options header | A05:2021 — Security Misconfiguration | V14.4.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | 2026-04-17 |
| missing-corp Missing Cross-Origin-Resource-Policy header | A05:2021 — Security Misconfiguration | V14.4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | 2026-04-18 |
CWE-1037
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-apt-no-recommends apt-get install without --no-install-recommends | A05:2021 — Security Misconfiguration | V14.2.5 | — | 2026-04-19 |
CWE-1104
2 rules — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dockerfile-no-tag Dockerfile base image has no explicit tag | A06:2021 — Vulnerable and Outdated Components | V14.2.5 | — | 2026-04-19 |
| dockerfile-latest-tag Dockerfile uses :latest tag | A06:2021 — Vulnerable and Outdated Components | V14.2.5 | — | 2026-04-19 |
CWE-1275— Sensitive Cookie with Improper SameSite Attribute
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| cookie-no-samesite | A01:2021 — Broken Access Control | V3.4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2026-04-18 |
CWE-1395
1 rule — official MITRE entry ↗
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| vulnerable-dependency Vulnerable dependency | A06:2021 — Vulnerable and Outdated Components | V14.2.1 | — | 2026-04-18 |
(infra — no CWE)
2 rules
| Rule | OWASP | ASVS | CVSS | Version |
|---|---|---|---|---|
| dast-scan-incomplete DAST scan incomplete | — | — | — | 2026-04-22 |
| supabase-signup-disabled Public signup is disabled | N/A — configuration | — | — | 2026-04-18 |
MITRE CWE Compatibility
The MITRE CWE Compatibility and Effectiveness Program recognizes products that meaningfully map their findings to CWEs. Sekrd meets the four official requirements:
- CWE Searchable — users can search findings by CWE number across /rules.
- CWE Output — every finding in every scan report (JSON, SARIF, PDF, CSV) carries a CWE field.
- CWE Mapping Accuracy — each mapping is based on authoritative references; the
TestCatalog_EveryEntryHasRequiredFieldsregression test blocks any rule without a CWE from merging. - CWE Documentation — this page, publicly linked, auto-generated from the rule catalog, grouped by CWE.
Application status: submitted — awaiting MITRE review. Once accepted we'll display the CWE-Compatible logo on the landing and link the official entry.