Ten vulnerability classes, measured across thousands of real codebases and maintained by the global security community. Each category explained clearly, with the patterns that introduce it and the fixes that resolve it.
The bug where one user can read another user's data just by editing a number in the URL.
Read the storyThe bug where the data is technically stored — just not in a way anyone should have stored it.
Read the storyThe bug where user input gets pasted directly into a query, a command, or a template.
Read the storyThe bug where every line of code is correct and the whole thing still does the wrong thing.
Read the storyThe bug where the code is fine and the settings are doing all the work the wrong way round.
Read the storyThe bug where a library you never touched ships a CVE and your app inherits it overnight.
Read the storyThe bug where the sign-in flow works perfectly for you and also works perfectly for the attacker.
Read the storyThe bug where you trust a package, a webhook, or an update without ever checking who sent it.
Read the storyThe bug where the attack worked, the logs are empty, and nobody notices until a customer emails support.
Read the storyThe bug where a user-supplied URL turns your server into a proxy for the attacker.
Read the storyFlowpatrol tests every category on this list — and proves every finding with a real exploit. Paste a URL, get a report in minutes.