| Private data | Access Control | ❌ | ✅ | HIGH | A03:2023 |
| Tenant isolation | Access Control | ❌ | ✅ | HIGH | A05:2023 |
| Expired token | Access Control | ✅ | ✅ | HIGH | A02:2023 |
| Private fields | Access Control | ❌ | ✅ | HIGH | A01:2023 |
| Public unsafe mutation endpoint | Access Control | ✅ | ✅ | MEDIUM | A05:2023 |
| Broken Object Level Authorization | Access Control | ✅ | ✅ | MEDIUM | A01:2023 |
| Authenticated route bypass | Access Control | ✅ | ❌ | LOW | A02:2023 |
| Automatic Persisted Queries | Configuration | ❌ | ✅ | LOW | A08:2023 |
| Proxy Disclosure | Configuration | ✅ | ❌ | LOW | A05:2023 |
| GraphQL IDE | Configuration | ❌ | ✅ | LOW | A07:2023 |
| Directory listing | Configuration | ✅ | ❌ | LOW | A01:2023 |
| Unhandled endpoint | Configuration | ✅ | ✅ | INFO | A02:2023 |
| Error type inconsistency | Configuration | ❌ | ✅ | INFO | A08:2023 |
| Data leak | Information Disclosure | ✅ | ✅ | HIGH | A01:2023 |
| Source code disclosure | Information Disclosure | ✅ | ✅ | HIGH | A07:2023 |
| Debug mode | Information Disclosure | ❌ | ✅ | MEDIUM | A07:2023 |
| Stacktraces | Information Disclosure | ✅ | ✅ | MEDIUM | A07:2023 |
| Field suggestion | Information Disclosure | ❌ | ✅ | MEDIUM | A07:2023 |
| File disclosure | Information Disclosure | ✅ | ❌ | LOW | A07:2023 |
| Private IP | Information Disclosure | ✅ | ❌ | LOW | A01:2023 |
| Introspection enabled | Information Disclosure | ✅ | ✅ | INFO | A07:2023 |
| Improper Input Validation Injection | Injection | ✅ | ✅ | HIGH | A08:2019 |
| File inclusion | Injection | ❌ | ✅ | HIGH | A08:2019 |
| XXE Injection | Injection | ✅ | ✅ | HIGH | A08:2019 |
| Directory traversal | Injection | ✅ | ❌ | HIGH | A08:2019 |
| Stored Improper Input Validation Injection | Injection | ✅ | ✅ | HIGH | A08:2019 |
| File upload | Injection | ❌ | ❌ | HIGH | A07:2023 |
| NoSQL Injection | Injection | ✅ | ✅ | HIGH | A09:2023 |
| SQL Injection Stored | Injection | ✅ | ✅ | HIGH | A09:2023 |
| Command Injection | Injection | ✅ | ✅ | HIGH | A08:2019 |
| NoSQL Injection Stored | Injection | ✅ | ✅ | HIGH | A09:2023 |
| SQL Injection | Injection | ✅ | ✅ | HIGH | A09:2023 |
| CRLF Injection | Injection | ✅ | ✅ | MEDIUM | A08:2019 |
| HeartBleed | Protocol | ❌ | ✅ | HIGH | A07:2023 |
| Server Error | Protocol | ✅ | ✅ | HIGH | A05:2023 |
| SSL Certificate | Protocol | ✅ | ❌ | HIGH | A02:2023 |
| SSL enforced | Protocol | ✅ | ✅ | MEDIUM | A02:2023 |
| CORS | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Content-Type header | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Header leak | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Content Security Policy Header | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Headers | Protocol | ✅ | ✅ | LOW | A02:2023 |
| Access-Control-Allow-Origin Header | Protocol | ✅ | ✅ | LOW | A07:2023 |
| X-Frame-Options header | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Cookie Security | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Strict Transport Security | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Cache Control Header | Protocol | ✅ | ✅ | LOW | A07:2023 |
| X-Content-Type-Options | Protocol | ✅ | ✅ | LOW | A07:2023 |
| Content type | Protocol | ❌ | ✅ | LOW | A07:2023 |
| Server Side Request Forgery | Request Forgery | ✅ | ✅ | HIGH | A06:2023 |
| GET based CSRF | Request Forgery | ✅ | ✅ | HIGH | A02:2023 |
| Partial SSRF | Request Forgery | ✅ | ✅ | HIGH | A06:2023 |
| Open redirection Forgery | Request Forgery | ✅ | ✅ | HIGH | A03:2023 |
| POST based CSRF | Request Forgery | ✅ | ✅ | MEDIUM | A02:2023 |
| SSRF Injection in headers | Request Forgery | ✅ | ❌ | LOW | A10:2023 |
| Security timeout | Resource Limitation | ✅ | ✅ | HIGH | A07:2023 |
| Recursive Fragment | Resource Limitation | ❌ | ✅ | MEDIUM | A08:2023 |
| Depth limit | Resource Limitation | ❌ | ✅ | MEDIUM | A04:2023 |
| Large JSON input | Resource Limitation | ❌ | ✅ | MEDIUM | A04:2023 |
| Field limit | Resource Limitation | ❌ | ✅ | MEDIUM | A04:2023 |
| Directive overloading | Resource Limitation | ❌ | ✅ | MEDIUM | A08:2023 |
| Character limit | Resource Limitation | ✅ | ✅ | LOW | A08:2023 |
| Unreachable server | Resource Limitation | ✅ | ❌ | LOW | A08:2023 |
| Alias limit | Resource Limitation | ❌ | ✅ | LOW | A05:2023 |
| Width limit | Resource Limitation | ❌ | ✅ | LOW | A04:2023 |
| Batch Limit | Resource Limitation | ❌ | ✅ | LOW | A08:2023 |
| Pagination missing | Resource Limitation | ✅ | ✅ | LOW | A08:2023 |
| Cyclic query | Resource Limitation | ❌ | ✅ | LOW | A07:2023 |
| Response size | Resource Limitation | ✅ | ❌ | LOW | A07:2023 |
| Query cost analysis | Resource Limitation | ❌ | ✅ | LOW | A08:2023 |
| Circular introspection | Resource Limitation | ❌ | ✅ | INFO | A08:2023 |
| Typing misconfiguration | Schema | ❌ | ✅ | MEDIUM | A08:2019 |
| Stored invalid input | Schema | ❌ | ✅ | MEDIUM | A03:2023 |
| Zombie object | Schema | ❌ | ✅ | LOW | A09:2023 |
| Self compliant spec | Schema | ❌ | ❌ | LOW | A02:2023 |
| Response type mismatch | Schema | ❌ | ✅ | INFO | A08:2019 |
| Required argument misconfiguration | Schema | ❌ | ✅ | INFO | A08:2023 |
| Weak JSON typing | Schema | ❌ | ✅ | INFO | A08:2019 |
| Undefined objects | Schema | ❌ | ✅ | INFO | A09:2023 |
| Custom security checks | Unspecified | ❌ | ✅ | INFO | A08:2023 |