// CWE taxonomy
Browse by bug class
Every vulnerability class PullLight has caught in real PRs, mapped to CWE identifiers. Sorted by number of case studies.
9
catches
CWE-78
Remote Code Execution
Attacker-controlled input reaches a code execution primitive — eval, exec, spawn, or a deserialization sink — enabling arbitrary command execution.
→
4
catches
CWE-502
Insecure Deserialization
Deserializing attacker-controlled data with a gadget-rich runtime enables object injection, privilege escalation, or arbitrary code execution.
→
4
catches
CWE-22
Path Traversal
User-controlled file paths escape the intended directory using ../ sequences, enabling arbitrary file read, write, or delete.
→
3
catches
CWE-1321
Prototype Pollution
Attacker-controlled keys containing __proto__ or constructor.prototype corrupt the global object prototype, affecting all downstream objects.
→
3
catches
CWE-89
SQL Injection
Unsanitized user input is interpolated into SQL queries, allowing attackers to read, modify, or delete arbitrary database data.
→
3
catches
CWE-78
OS Command Injection
User-controlled input is passed to a shell command without sanitization, enabling injection of arbitrary OS commands.
→
3
catches
CWE-287
Authentication Bypass
Logic gaps in authentication middleware or route handling allow unauthenticated requests to reach protected resources.
→
3
catches
CWE-918
Server-Side Request Forgery
Attacker-supplied URLs are fetched by the server, enabling access to internal services, cloud metadata endpoints, or SSRF-to-RCE escalation.
→
2
catches
CWE-94
Server-Side Template Injection
Unsanitized user input flows into a template engine, enabling arbitrary code execution on the server.
→
PullLight catches these in live code review.
Hooks into your PRs automatically — no config required.
Try the live demo →
Hooks into your PRs automatically — no config required.