| Private data | Access control | ✅ | ✅ | HIGH | API3:2023 |
| Private fields | Access control | ✅ | ✅ | HIGH | API1:2023 |
| Tenant isolation | Access control | ✅ | ✅ | HIGH | API5:2023 |
| Broken Object Level Authorization | Access control | ✅ | ✅ | MEDIUM | API1:2023 |
| Public state-altering operation | Access control | ✅ | ✅ | MEDIUM | API5:2023 |
| Sensitive endpoint bruteforce | Access control | ✅ | ✅ | MEDIUM | API3:2023 |
| Authenticated route bypass | Access control | | ✅ | LOW | API2:2023 |
| WAF Bypass | Configuration | | ✅ | MEDIUM | API8:2023 |
| Automatic Persisted Queries | Configuration | ✅ | | LOW | API8:2023 |
| Directory listing | Configuration | | ✅ | LOW | API1:2023 |
| GraphQL IDE | Configuration | ✅ | | LOW | API7:2023 |
| Proxy Disclosure | Configuration | | ✅ | LOW | API5:2023 |
| Error type inconsistency | Configuration | ✅ | | INFO | API8:2023 |
| Unhandled endpoint | Configuration | | ✅ | INFO | API2:2023 |
| AWS Docker Config Exposure | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| AWStats Config Exposure | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| AWStats Exposure | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| Airflow Config Exposure | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| AppVeyor Config Exposure | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| Data leak | Information disclosure | ✅ | ✅ | HIGH | API1:2023 |
| Exposed MySQL Config | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| Exposed SQL Dumps | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| Exposed settings.php | Information disclosure | ✅ | ✅ | HIGH | API8:2023 |
| Source code disclosure | Information disclosure | ✅ | | HIGH | API7:2023 |
| Ansible Config Exposure | Information disclosure | ✅ | ✅ | MEDIUM | API8:2023 |
| Azure Tenant ID Exposure | Information disclosure | ✅ | ✅ | MEDIUM | API8:2023 |
| Field suggestion | Information disclosure | ✅ | | MEDIUM | API7:2023 |
| Leaking authentication | Information disclosure | | ✅ | MEDIUM | API7:2023 |
| Springboot Actuator Disclosure | Information disclosure | ✅ | ✅ | MEDIUM | API7:2023 |
| Stacktrace | Information disclosure | ✅ | ✅ | MEDIUM | API7:2023 |
| Vulnerable Package | Information disclosure | ✅ | ✅ | MEDIUM | API8:2023 |
| Debug mode | Information disclosure | ✅ | ✅ | LOW | API7:2023 |
| File disclosure | Information disclosure | | ✅ | LOW | API7:2023 |
| Private IP | Information disclosure | | ✅ | LOW | API1:2023 |
| Software Component Leak | Information disclosure | ✅ | ✅ | LOW | API8:2023 |
| AWS Config Exposure | Information disclosure | ✅ | ✅ | INFO | API8:2023 |
| Alibaba Canal Leak | Information disclosure | ✅ | ✅ | INFO | API8:2023 |
| Appspec Exposure | Information disclosure | ✅ | ✅ | INFO | API8:2023 |
| Introspection enabled | Information disclosure | ✅ | | INFO | API7:2023 |
| Command Injection | Injection | ✅ | ✅ | HIGH | API10:2023 |
| Directory traversal | Injection | | ✅ | HIGH | API10:2023 |
| File inclusion | Injection | ✅ | | HIGH | API10:2023 |
| Improper Input Validation Injection | Injection | ✅ | ✅ | HIGH | API10:2023 |
| JWT Signature check | Injection | ✅ | ✅ | HIGH | API2:2023 |
| JWT algorithm confusion | Injection | ✅ | ✅ | HIGH | API2:2023 |
| JWT no algorithm | Injection | ✅ | ✅ | HIGH | API2:2023 |
| Mass Assignment | Injection | | ✅ | HIGH | API1:2023 |
| NoSQL Injection | Injection | ✅ | ✅ | HIGH | API9:2023 |
| NoSQL Injection Stored | Injection | ✅ | | HIGH | API9:2023 |
| SQL Injection | Injection | ✅ | ✅ | HIGH | API9:2023 |
| SSTI (Server-Side Template Injection) | Injection | | ✅ | HIGH | API10:2023 |
| Stored Improper Input Validation Injection | Injection | ✅ | | HIGH | API10:2023 |
| XXE Injection | Injection | ✅ | ✅ | HIGH | API10:2023 |
| CRLF Injection | Injection | ✅ | ✅ | MEDIUM | API10:2023 |
| HeartBleed | Protocol | ✅ | | HIGH | API7:2023 |
| SSL Certificate | Protocol | | ✅ | HIGH | API2:2023 |
| Server Error | Protocol | ✅ | ✅ | HIGH | API5:2023 |
| SSL enforced | Protocol | ✅ | ✅ | MEDIUM | API2:2023 |
| Access-Control-Allow-Origin Header | Protocol | ✅ | ✅ | LOW | API7:2023 |
| CORS | Protocol | ✅ | | LOW | API7:2023 |
| Cache Control Header | Protocol | ✅ | ✅ | LOW | API7:2023 |
| Content Security Policy Header | Protocol | ✅ | ✅ | LOW | API7:2023 |
| Content type | Protocol | ✅ | | LOW | API7:2023 |
| Content-Type header | Protocol | ✅ | ✅ | LOW | API7:2023 |
| Cookie Security | Protocol | ✅ | ✅ | LOW | API7:2023 |
| Header leak | Protocol | ✅ | ✅ | LOW | API7:2023 |
| Headers | Protocol | ✅ | ✅ | LOW | API2:2023 |
| Strict Transport Security | Protocol | ✅ | ✅ | LOW | API7:2023 |
| X-Content-Type-Options | Protocol | ✅ | ✅ | LOW | API7:2023 |
| X-Frame-Options header | Protocol | ✅ | ✅ | LOW | API7:2023 |
| Open redirection Forgery | Request forgery | ✅ | ✅ | HIGH | API3:2023 |
| Partial SSRF | Request forgery | ✅ | ✅ | HIGH | API6:2023 |
| Server Side Request Forgery | Request forgery | ✅ | ✅ | HIGH | API7:2023 |
| GET based CSRF | Request forgery | ✅ | | MEDIUM | API2:2023 |
| POST based CSRF | Request forgery | ✅ | | MEDIUM | API2:2023 |
| SSRF Injection in headers | Request forgery | | ✅ | LOW | API10:2023 |
| Security timeout | Resource limitation | ✅ | ✅ | HIGH | API7:2023 |
| Depth limit | Resource limitation | ✅ | | MEDIUM | API4:2023 |
| Directive overloading | Resource limitation | ✅ | | MEDIUM | API8:2023 |
| Field limit | Resource limitation | ✅ | | MEDIUM | API4:2023 |
| Large JSON input | Resource limitation | ✅ | | MEDIUM | API4:2023 |
| Recursive Fragment | Resource limitation | ✅ | | MEDIUM | API8:2023 |
| Alias limit | Resource limitation | ✅ | | LOW | API5:2023 |
| Batch Limit | Resource limitation | ✅ | | LOW | API8:2023 |
| Character limit | Resource limitation | ✅ | | LOW | API8:2023 |
| Cyclic query | Resource limitation | ✅ | | LOW | API7:2023 |
| Pagination missing | Resource limitation | ✅ | ✅ | LOW | API8:2023 |
| Response size | Resource limitation | | ✅ | LOW | API7:2023 |
| Unreachable server | Resource limitation | ✅ | ✅ | LOW | API8:2023 |
| Width limit | Resource limitation | ✅ | | LOW | API4:2023 |
| Cyclic Recursive Query | Resource limitation | ✅ | | INFO | API8:2023 |
| Field Duplication | Resource limitation | ✅ | | INFO | API4:2023 |
| Typing misconfiguration | Schema | ✅ | ✅ | MEDIUM | API10:2023 |
| Zombie object | Schema | ✅ | | LOW | API9:2023 |
| Duplicated object | Schema | ✅ | ✅ | INFO | API9:2023 |
| GraphQL Response Format | Schema | ✅ | ✅ | INFO | API9:2023 |
| Invalid condition in allOf | Schema | | ✅ | INFO | API9:2023 |
| Invalid parameters in path | Schema | | ✅ | INFO | API9:2023 |
| Invalid references | Schema | | ✅ | INFO | API9:2023 |
| Positive integer validation | Schema | ✅ | ✅ | INFO | API8:2023 |
| Response type mismatch | Schema | ✅ | | INFO | API10:2023 |
| Swagger rules | Schema | | ✅ | INFO | API9:2023 |
| Undefined objects | Schema | ✅ | | INFO | API9:2023 |
| Weak JSON typing | Schema | ✅ | | INFO | API10:2023 |