API1 BOLA
Endpoints accept a caller-controlled object identifier (path or query parameter) and read or write the named object without confirming the caller is allowed to touch it.
API2 Auth
Endpoints that should require an authenticated caller accept anonymous traffic, or accept tokens the server cannot verify (JWT alg:none, HS256 with the public key as the HMAC secret, missing signature verification on cookies, etc.).
API3 BOPLA
Mass-assignment: the handler binds the request body straight into a model object, so a client can write privileged fields (e.g.
API4 Rate Limit
Endpoints that allow callers to consume server CPU, memory, database time, or downstream API quota without bound.
API5 BFLA
Privileged endpoints (admin panels, billing controls, user management) are reachable by lower-privilege roles.
API6 Business Flows
Business flows (ticket purchase, signup, password reset, money transfer) accept automation without throttle, captcha, or behavioural challenge.
API7 SSRF
User-controlled URLs are fetched by the server.
API8 Misconfig
Catch-all for insecure-default settings: CORS reflects origin + credentials, debug mode on in production, default secrets committed to the repo, insecure cookies (no Secure/HttpOnly/SameSite), weak crypto (MD5, SHA-1, ECB), permissive S3 bucket policies, IAM `Action: '*'`.
API9 Inventory
Undocumented / shadow endpoints, deprecated routes still live, OpenAPI spec drift, unprotected admin paths.
API10 Upstream
Trusting upstream API responses without validation.
Supply Chain
Supply-chain risk: dependency confusion, slopsquatting (typosquats of trendy AI / ML packages), lifecycle-script abuse in transitive deps, unpinned versions in lockless ecosystems.
LLM01 Prompt Injection
Untrusted input is concatenated into a model prompt without isolation, so an attacker can override the system instructions, exfiltrate context, or escalate tool access.
LLM06 PII in Prompts
Secrets, PII, or PHI flow into an LLM prompt body or context window.
Code Quality
Non-security signals: high cognitive complexity, deeply nested control flow, and other maintainability issues.
MCP-001 Unpinned npx/uvx
MCP host config invokes `npx` or `uvx` against an unpinned registry package. The package re-resolves every host launch, so a publisher takeover or a typo on the next push lands inside the process the model has reach into.