API1 BOLA
Endpoints accept a caller-controlled object identifier (path or query parameter) and read or write the named object without confirming the caller is allowed to touch it.
API2 Auth
Endpoints that should require an authenticated caller accept anonymous traffic, or accept tokens the server cannot verify (JWT alg:none, HS256 with the public key as the HMAC secret, missing signature verification on cookies, etc.).
API3 BOPLA
Mass-assignment: the handler binds the request body straight into a model object, so a client can write privileged fields (e.g.
API4 Rate Limit
Endpoints that allow callers to consume server CPU, memory, database time, or downstream API quota without bound.
API5 BFLA
Privileged endpoints (admin panels, billing controls, user management) are reachable by lower-privilege roles.
API6 Business Flows
Business flows (ticket purchase, signup, password reset, money transfer) accept automation without throttle, captcha, or behavioural challenge.
API7 SSRF
User-controlled URLs are fetched by the server.
API8 Misconfig
Catch-all for insecure-default settings: CORS reflects origin + credentials, debug mode on in production, default secrets committed to the repo, insecure cookies (no Secure/HttpOnly/SameSite), weak crypto (MD5, SHA-1, ECB), permissive S3 bucket policies, IAM `Action: '*'`.
API9 Inventory
Undocumented / shadow endpoints, deprecated routes still live, OpenAPI spec drift, unprotected admin paths.
API10 Upstream
Trusting upstream API responses without validation.
Supply Chain
Supply-chain risk: dependency confusion, slopsquatting (typosquats of trendy AI / ML packages), lifecycle-script abuse in transitive deps, unpinned versions in lockless ecosystems.
LLM01 Prompt Injection
Untrusted input is concatenated into a model prompt without isolation, so an attacker can override the system instructions, exfiltrate context, or escalate tool access.
LLM06 PII in Prompts
Secrets, PII, or PHI flow into an LLM prompt body or context window.
MCP-001 Unpinned npx/uvx
MCP host config invokes `npx` or `uvx` against an unpinned registry package. The package re-resolves every host launch, so a publisher takeover or a typo on the next push lands inside the process the model has reach into.
MCP-002 Mutable git ref
MCP host config installs an MCP server from a git source whose ref is a branch (HEAD, main, master) or absent entirely. A force-push or branch rewrite changes what the host runs without bumping a version anywhere visible.
MCP-003 Overbroad FS root
An MCP filesystem server is mounted at the root of the disk (`/`), the user's home directory (`$HOME`, `~`, `/Users/<name>`, `/home/<name>`), or a shallow home subdirectory. The model can read or write every file the host process can; one prompt-injection has a wide blast radius.
MCP-004 Inline env secret
An MCP host config inlines a literal credential in a server's env block instead of referencing a shell variable. Once written, the secret sits in a JSON file under `~/Library/Application Support/` or `~/.config/` that nobody audits, and it travels with backups.
MCP-005 Cleartext endpoint
An MCP server connects to a remote endpoint over cleartext `http://`, or reaches an `https://` endpoint with no visible auth credential alongside. Every prompt, tool call, and result either travels unencrypted or hits a world-callable server.
MCP-006 Compromised release
An MCP server pins a `(name, version)` that the Vulkro compromised-release catalog flags as a known supply-chain incident. Exact-version match against the same catalog the dep-scanner and extension-auditor consume.
EXT-001 Compromised extension
An installed editor or browser extension's `(ecosystem, identifier, version)` matches the Vulkro compromised-extension catalog. Editor and browser extensions execute with the host process's authority; treat any hit here as a session-token incident.
EXT-002 Overbroad perms
A browser extension's manifest declares host permissions across every URL (`<all_urls>` / `*://*/*`), uses high-impact APIs (`debugger`, `webRequestBlocking`), or declares multiple broad API permissions together. A publisher compromise of such an extension reaches every site the user is signed into.
EXT-003 Unsafe CSP
A browser extension's `content_security_policy` allows `unsafe-eval` or `unsafe-inline` inside `script-src` or `default-src`. The extension can evaluate runtime-generated code or pull in arbitrary remote JavaScript that static review never sees.
SUP-COMPROMISE-001
An installed dependency matches a catalogued incident where the maintainer's publish credentials were stolen and a malicious version was pushed to the registry. The package itself is fine; a specific version range is poisoned.
SUP-COMPROMISE-002
An installed dependency matches a catalogued incident where the package itself is a typosquat impersonating a real upstream. The package name looks legitimate at a glance but is not the package the upstream project recommends.
SUP-COMPROMISE-003
An installed dependency matches a catalogued incident where the package ships a lifecycle script (npm postinstall, PyPI setup.py) that runs attacker code at install time. The payload likely already executed on every machine where the package was resolved.
SUP-COMPROMISE-004
An installed dependency matches a catalogued incident where the author of the package deliberately introduced attacker-friendly behaviour at the source-tree level. Distinct from a credential hijack: the legitimate publisher is the source of the bad code.
SUP-COMPROMISE-005
An installed dependency matches a catalogued incident where the upstream project's build pipeline (release tarball, distro packaging step, CI artefact) was compromised by a long-running attacker, even though the source tree on the public repository looked clean.
SUP-COMPROMISE-006
An installed editor or browser extension matches a catalogued supply-chain incident. The same catalog that powers EXT-001 surfaces under the SUP-COMPROMISE family when the extension is discovered via the dependency-scanner path rather than the extension-auditor path.