Vulnerability glossary

A curated glossary of vulnerability classes, definitional security terms, and famous CVEs with plain-English explanations.

Vulnerability classes

Common vulnerability patterns and weaknesses — what they are, how they work, and how to fix them.

  • Broken Access Control — Broken access control is the umbrella for any flaw in how an application enforces who can do what — including missing checks, wrong checks, or bypassable checks.
  • Broken Authentication — Broken authentication covers flaws in the way an application verifies who a user is — weak passwords, predictable tokens, missing rate limits, credential leakage.
  • Buffer Overflow — Writing past the end of a fixed-size buffer corrupts adjacent memory, often hijacking control flow.
  • Command Injection (OS Command Injection) — Command injection lets attacker-controlled strings reach a shell, running arbitrary operating-system commands.
  • CRLF Injection — Injecting CR / LF byte pairs into headers lets an attacker inject extra headers, split responses, or smuggle requests.
  • CSRF (Cross-Site Request Forgery) — CSRF makes a logged-in user's browser issue authenticated requests the user did not intend.
  • DoS (Denial of Service) — A denial-of-service vulnerability lets an attacker make a service unavailable to legitimate users — by consuming CPU, memory, bandwidth, or state.
  • Double Free — Calling free() twice on the same pointer corrupts allocator metadata, often leading to arbitrary write primitives.
  • HTTP Request Smuggling — Request smuggling exploits disagreement between a front-end proxy and back-end server about where one request ends and the next begins.
  • IDOR (Insecure Direct Object Reference) — IDOR exposes objects by id without checking that the requester has permission to access them.
  • Improper Certificate Validation — Failing to validate TLS certificates correctly lets attackers intercept supposedly-encrypted traffic.
  • Information Disclosure — Information disclosure is any flaw that reveals data the attacker should not see — error messages, debug pages, stack traces, internal IPs, or secrets.
  • Insecure Deserialization — Insecure deserialization runs attacker-controlled object graphs, frequently leading to RCE through gadget chains.
  • Integer Overflow — Integer overflow produces wrong arithmetic — often a length calculation — that later drives an undersized buffer allocation.
  • Mass Assignment — Mass assignment lets attackers set fields they should not be able to set, by submitting them in a form whose handler accepts the entire model.
  • Open Redirect — An open redirect lets attackers craft URLs on the target's domain that bounce victims to an arbitrary external site.
  • Path Traversal (Directory Traversal) — Path traversal lets an attacker escape an intended directory by smuggling sequences like ../ into a file path.
  • Privilege Escalation — Privilege escalation is any bug that lets an attacker gain capabilities beyond what they were originally granted — vertical (more rights) or horizontal (other users' rights).
  • Prototype Pollution — Prototype pollution lets an attacker set properties on Object.prototype, contaminating every plain object the program uses.
  • Race Condition — A race condition is a bug whose outcome depends on the order or timing of two concurrent operations.
  • RCE (Remote Code Execution) — RCE is any vulnerability that lets a remote attacker run arbitrary code on the target system.
  • ReDoS (Regular Expression Denial of Service) — ReDoS feeds an input that triggers catastrophic backtracking in a regex engine, pinning a CPU and starving the service.
  • SQL Injection — SQL injection mixes attacker-controlled strings into a database query, letting the attacker change the query's meaning.
  • SSRF (Server-Side Request Forgery) — SSRF tricks a server into making HTTP requests to attacker-chosen destinations, often reaching internal-only systems.
  • TOCTOU (Time-of-Check to Time-of-Use) — TOCTOU is the race condition where a resource's state changes between a security check and the operation that depended on it.
  • Unrestricted File Upload — Letting users upload arbitrary files into a web-served directory lets attackers plant executable webshells.
  • Use-After-Free — A use-after-free dereferences a pointer to memory that has already been freed, often letting an attacker control the contents.
  • XSS (Cross-Site Scripting) — XSS lets attackers run scripts in a victim's browser by injecting markup that the application echoes back without escaping.
  • XXE (XML External Entity) — XXE abuses XML parsers that resolve external entities, leaking files and causing SSRF or DoS.

Definitional terms

Foundational vocabulary used across vulnerability intelligence — CVE, CVSS, CWE, KEV, EPSS, SBOM, and friends.

  • Coordinated Vulnerability Disclosure — Coordinated disclosure is the practice of reporting a vulnerability privately to the vendor, agreeing a fix timeline, and publishing details only after a patch is available.
  • CPE (Common Platform Enumeration) — CPE is the structured identifier scheme for affected products in NVD — vendor:product:version triples used to match scanners against CVE applicability.
  • CSP (Content Security Policy) — Content Security Policy is a browser-enforced response header that restricts which scripts, styles, images, and frames a page may load — the principal defence-in-depth against XSS.
  • CVE (Common Vulnerabilities and Exposures) — A CVE is a unique identifier — CVE-YYYY-NNNNN — assigned to a publicly disclosed vulnerability by a CVE Numbering Authority.
  • CVSS (Common Vulnerability Scoring System) — CVSS is the industry-standard formula for converting a vulnerability's properties into a 0-10 severity score.
  • CVSS Vector — A CVSS vector is the slash-delimited string that encodes the metrics behind a CVSS score, e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
  • CWE (Common Weakness Enumeration) — CWE is the catalogue of vulnerability categories — CWE-79 for XSS, CWE-89 for SQL injection, CWE-787 for out-of-bounds write — that classifies what kind of bug a CVE actually is.
  • DAST (Dynamic Application Security Testing) — DAST tests a running application from the outside — black-box probing for vulnerabilities visible only at runtime.
  • EPSS (Exploit Prediction Scoring System) — EPSS is a daily-updated probability — 0 to 1 — that a given CVE will be exploited in the next 30 days, computed by FIRST.org from a machine-learning model.
  • IAST (Interactive Application Security Testing) — IAST instruments the running application and observes data flow live — combining DAST's runtime view with SAST's taint reasoning.
  • KEV (CISA Known Exploited Vulnerabilities) — KEV is CISA's catalog of CVEs known to be exploited in the wild — the highest-confidence signal that a vulnerability is being actively used by attackers.
  • N-Day — An n-day is a vulnerability that has had a patch available for some time but is still being exploited against unpatched systems.
  • Patch Tuesday — The second Tuesday of each month, when Microsoft (and several other vendors) ship their scheduled security updates.
  • PoC (Proof of Concept) — A PoC is a working demonstration that a vulnerability is exploitable — typically a short script or repository that triggers the bug.
  • SAST (Static Application Security Testing) — SAST analyses application source code (or compiled bytecode) for security flaws without executing the application.
  • SBOM (Software Bill of Materials) — An SBOM is a machine-readable inventory of every component and dependency that makes up a piece of software — the prerequisite for vulnerability-by-component scanning at scale.
  • SCA (Software Composition Analysis) — Software Composition Analysis scans your dependencies — both direct and transitive — against vulnerability databases to flag known CVEs.
  • Supply Chain Attack — A supply chain attack compromises a vendor, build pipeline, or upstream dependency to deliver malicious code to downstream consumers.
  • Zero-Day — A zero-day is a vulnerability that is being exploited (or whose details are public) before the vendor has issued a patch.

Famous CVEs

High-impact CVEs that are typically referenced by name. Each entry cross-links to the canonical record.

  • Apache Struts OGNL RCE (CVE-2017-5638) — The Apache Struts 2 OGNL injection RCE behind the Equifax breach — a Content-Type-header-based exploit that ran in late 2017.
  • BEAST (CVE-2011-3389) — BEAST is the chosen-plaintext attack against TLS 1.0 CBC ciphers that decrypted authenticated-session cookies in 2011.
  • BlueKeep (CVE-2019-0708) — BlueKeep is a pre-authentication heap overflow in Microsoft Remote Desktop Services on legacy Windows versions, with worm potential comparable to EternalBlue.
  • BREACH (CVE-2013-3587) — BREACH is the CRIME-style compression side-channel attack that targets HTTP-level gzip compression instead of TLS compression.
  • Citrix Bleed (CVE-2023-4966) — Citrix Bleed lets attackers steal authenticated NetScaler ADC / Gateway sessions over the network — exploited at scale by ransomware operators in late 2023.
  • Confluence OGNL RCE (CVE-2022-26134) — A pre-auth OGNL injection in Atlassian Confluence Server / Data Center that reached active exploitation before the public disclosure.
  • CRIME (CVE-2012-4929) — CRIME is a compression-side-channel attack on TLS that recovered session cookies via compression-ratio differences.
  • Dirty Pipe (CVE-2022-0847) — Dirty Pipe is a Linux kernel vulnerability that lets an unprivileged user write arbitrary bytes into read-only files, including those they cannot normally modify.
  • DROWN (CVE-2016-0800) — DROWN is a cross-protocol TLS attack that uses a server's SSLv2 support to decrypt TLS traffic to the same key.
  • Drupalgeddon 2 (CVE-2018-7600) — Drupalgeddon 2 is the Drupal Form API RCE that drove mass-exploitation of every unpatched Drupal site within hours of disclosure.
  • EternalBlue (CVE-2017-0144) — EternalBlue is the SMBv1 exploit leaked from the NSA's Equation Group that became the worm engine for WannaCry and NotPetya.
  • Follina (CVE-2022-30190) — Follina is the Microsoft Support Diagnostic Tool RCE triggered by opening a malicious Word document — exploitable even when macros are disabled.
  • FREAK (CVE-2015-0204) — FREAK is a TLS downgrade attack that exploits legacy export-grade RSA cipher suites to break encryption between modern clients and servers.
  • GHOST (CVE-2015-0235) — GHOST is a buffer overflow in glibc's gethostbyname() that affected Linux systems globally in 2015.
  • Heartbleed (CVE-2014-0160) — Heartbleed is a memory-disclosure vulnerability in OpenSSL's TLS heartbeat extension that leaked up to 64KB of server memory per request.
  • Log4Shell (CVE-2021-44228) — Log4Shell is a critical RCE in Apache Log4j2's JNDI lookup feature — the most consequential vulnerability of 2021, exploited within hours of disclosure.
  • Logjam (CVE-2015-4000) — Logjam is the discrete-log attack on Diffie-Hellman parameter reuse that broke TLS connections using common 1024-bit DH groups in 2015.
  • MOVEit (CVE-2023-34362) — MOVEit Transfer is the SQL-injection-leading-to-RCE that Clop ransomware turned into one of 2023's largest data-theft campaigns, affecting thousands of organisations.
  • POODLE (CVE-2014-3566) — POODLE is the padding-oracle attack against SSL 3.0 that forced the industry to disable the legacy protocol globally in 2014.
  • PrintNightmare (CVE-2021-34527) — PrintNightmare is the Windows Print Spooler RCE that became the most-disclosed-on-the-internet vulnerability of mid-2021.
  • ProxyLogon (CVE-2021-26855) — ProxyLogon is the pre-auth SSRF in Microsoft Exchange that, chained with three other CVEs, gave full Exchange compromise — exploited by HAFNIUM weeks before disclosure.
  • ProxyShell (CVE-2021-34473 / 34523 / 31207) — ProxyShell is the three-CVE chain against Microsoft Exchange Server that became one of 2021's most-exploited RCE vectors.
  • PwnKit (CVE-2021-4034) — PwnKit is the polkit pkexec local privilege escalation that affected essentially every Linux distribution since 2009 — a 12-year-old root bug.
  • Shellshock (CVE-2014-6271) — Shellshock is the bash function-export parser RCE that affected Linux/Unix systems where bash was reachable from any HTTP / CGI / DHCP path.
  • Spring4Shell (CVE-2022-22965) — Spring4Shell is an RCE in Spring Framework's data-binder that lets an HTTP form parameter mass-assign into a class-loader property and write an attacker-controlled file to disk.