A02 - Security Misconfiguration 26
- Unrestricted File Upload Leads to Remote Code Execution | Calliope Gallery
- Exposed Git Repository Leads to Administrative Credential Disclosure | Fault Banking
- Local File Inclusion – Arbitrary File Read | Traverse
- Information Disclosure – Sensitive Resource Exposure via robots.txt | Sundial Observatory
- Information Disclosure – Redirect Debug Comment Exposure | Redirect Run
- Information Disclosure – Sensitive HTML Comment Exposure | Vellichor Press
- Information Disclosure – Debug Branch Receipt Exposure | Quikpay Receipts
- Information Disclosure – Client-Side Analytics Exposure | Pebble & Pine
- Exposed Git Repository Information Disclosure | Loop & Roam Records
- Local File Inclusion via Double URL Encoding | Mirage
- Unrestricted File Upload – Remote Code Execution | Hollow Run Bedding
- GraphQL Information Disclosure – System Configuration Exposure | Schematic
- SQL Injection & File Upload Abuse – Admin Bypass Leading to RCE | Candy
- Unrestricted File Upload – Remote Code Execution via PHP Extension Bypass | Crosswind
- Local File Inclusion via PHP Stream Wrappers | DocketHive
- XXE Injection – Arbitrary File Disclosure via XML Import | Holloway
- XInclude Injection to Arbitrary File Read | Tanuki
- Local File Inclusion (LFI) to Sensitive File Disclosure | Mapleton
- File Extension Blacklist Bypass – Unrestricted Upload to RCE | Hackviser Lab
- File Signature Bypass – Polyglot File Upload to RCE | Hackviser Lab
- MIME Type Filter Bypass – Unrestricted File Upload to RCE | Hackviser Lab
- Unrestricted File Upload – RCE Leading to Database Credential Disclosure | Hackviser Lab
- Local File Inclusion – Arbitrary File Read Leading to Flag Disclosure | Corridor
- File Inclusion – Arbitrary File Read via Image Endpoint | Ottergram
- Information Disclosure – Sensitive Data Exposure via Source Code, Headers & Public Files | Hidden in Plain Sight
- Local File Inclusion – Log Poisoning to Remote Code Execution | Venomous