Web Vulnerability Terminology Glossary
Security vulnerabilities are weaknesses in software, hardware, or configurations that can be exploited by attackers to gain unauthorized access, execute malicious code, or disrupt services. This glossary defines the most important vulnerability-related terms used by security researchers, penetration testers, and development teams. For attack methodology terminology, see our companion glossary of common web attack terms.
Vulnerability Classification and Scoring
CVE (Common Vulnerabilities and Exposures)
CVE is a standardized identification system for publicly known security vulnerabilities. Each vulnerability is assigned a unique identifier in the format CVE-YYYY-NNNNN (e.g., CVE-2021-44228 for the Log4Shell vulnerability). The CVE system is maintained by MITRE Corporation and serves as the universal reference standard. When a security advisory references a CVE ID, any organization in the world can look up the exact same vulnerability. The CVE database contains over 200,000 entries and grows by tens of thousands each year.
CVSS (Common Vulnerability Scoring System)
CVSS provides a numerical score (0.0 to 10.0) that represents the severity of a vulnerability. The score is calculated based on factors including attack vector, attack complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. CVSS scores are categorized as:
| CVSS Score | Severity Rating | Example |
|---|---|---|
| 0.0 | None | Informational finding |
| 0.1 – 3.9 | Low | Information disclosure with limited impact |
| 4.0 – 6.9 | Medium | Authenticated access required, partial impact |
| 7.0 – 8.9 | High | Unauthenticated RCE with some constraints |
| 9.0 – 10.0 | Critical | Unauthenticated RCE, network-accessible, no interaction |
The current version, CVSS v4.0, was released in 2023 and adds granularity around environmental and threat metrics.
Zero-Day Vulnerability
A zero-day vulnerability is a security flaw that is unknown to the software vendor and has no available patch or fix. The term "zero-day" indicates that the vendor has had zero days to address the issue. Zero-day vulnerabilities are the most dangerous class of security flaws because defenders have no signature or patch to protect against them. They are actively traded on underground markets and are a primary tool for advanced persistent threat (APT) groups. Defense against zero-days relies on behavioral detection, application hardening, and defense-in-depth.
CWE (Common Weakness Enumeration)
CWE is a categorization system for software and hardware weaknesses that can lead to vulnerabilities. While CVE identifies specific instances of vulnerabilities, CWE classifies the underlying type of weakness. For example, CWE-79 is "Improper Neutralization of Input During Web Page Generation" (the root cause of XSS), and CWE-89 is "Improper Neutralization of Special Elements used in an SQL Command" (the root cause of SQL injection). CWE helps developers understand and prevent entire categories of vulnerabilities.
Code Execution Vulnerabilities
Remote Code Execution (RCE)
RCE is a vulnerability that allows an attacker to execute arbitrary code on a remote system. RCE vulnerabilities are considered the most critical class of security flaws because they give the attacker full control over the affected system. RCE can result from deserialization flaws, command injection, buffer overflows, or template injection. The Log4Shell vulnerability (CVE-2021-44228) is a prominent example of an RCE that affected millions of Java applications worldwide.
Arbitrary Code Execution (ACE)
ACE is the broader category that encompasses any vulnerability allowing an attacker to execute code of their choosing on a system. RCE is a subset of ACE where the execution happens remotely (over a network). Local ACE requires the attacker to already have some level of access to the system. For a deeper exploration, see our guide on arbitrary code execution.
Command Injection
Command injection occurs when an application passes unsanitized user input to a system shell. If the application constructs a shell command using user-supplied data without proper escaping, the attacker can append additional commands using shell metacharacters (semicolons, pipes, backticks). For example, if an application runs ping [user_input], an attacker could submit 8.8.8.8; cat /etc/passwd to execute an arbitrary command. Command injection vulnerabilities grant full system-level access.
Injection Vulnerabilities
SQL Injection (SQLi)
SQL injection occurs when an attacker can insert or manipulate SQL queries through user input fields. SQLi can lead to unauthorized data access, data modification, data deletion, authentication bypass, and in some cases, remote code execution via database functions like xp_cmdshell in MSSQL. SQL injection has been one of the most common and dangerous web vulnerabilities for over two decades and consistently appears in the OWASP Top 10.
Cross-Site Scripting (XSS)
Cross-site scripting allows an attacker to inject malicious JavaScript into web pages viewed by other users. XSS can be used to steal session cookies, redirect users to malicious sites, deface web content, or capture keystrokes. The three types are reflected XSS (payload in the URL), stored XSS (payload saved in the database and served to all visitors), and DOM-based XSS (payload processed by client-side JavaScript).
LDAP Injection
LDAP injection occurs when user input is incorporated into LDAP (Lightweight Directory Access Protocol) queries without proper sanitization. Attackers can modify LDAP query logic to bypass authentication, access unauthorized directory information, or modify directory entries. LDAP injection follows the same principles as SQL injection but targets directory services rather than relational databases.
File and Path Vulnerabilities
Local File Inclusion (LFI)
LFI is a vulnerability that allows an attacker to include files from the local server in the application's output. It typically occurs when an application uses user input to construct file paths without proper validation. An attacker can use directory traversal sequences (e.g., ../../etc/passwd) to read sensitive system files, application configuration files containing database credentials, or log files. In some cases, LFI can be escalated to remote code execution through log poisoning or PHP wrapper techniques.
Remote File Inclusion (RFI)
RFI is similar to LFI but allows the attacker to include files from remote servers. If a PHP application uses user input in an include() function and the server allows remote file inclusion (allow_url_include = On), the attacker can point the include to a malicious script hosted on their own server. This results in immediate remote code execution. RFI is less common than LFI in modern applications because PHP's default configuration disables remote includes.
Directory Traversal (Path Traversal)
Directory traversal is a vulnerability that allows attackers to access files and directories outside the intended directory structure by manipulating file path references. By using sequences like ../ or encoded equivalents, attackers can navigate the file system to read configuration files, source code, credentials, and other sensitive data. Directory traversal is the underlying technique that enables LFI attacks.
Server-Side Request Vulnerabilities
Server-Side Request Forgery (SSRF)
SSRF is a vulnerability that allows an attacker to make the server issue HTTP requests to arbitrary destinations. The attacker manipulates server-side functionality that fetches URLs (image processing, URL preview, webhook delivery) to target internal services, cloud metadata endpoints (like AWS's 169.254.169.254), or other infrastructure that is not directly accessible from the internet. SSRF has become increasingly critical in cloud environments where metadata services can expose credentials and configuration data.
Insecure Direct Object Reference (IDOR)
IDOR occurs when an application exposes internal implementation objects (such as database record IDs, file names, or sequential identifiers) in URLs or parameters without proper authorization checks. An attacker can modify these references to access other users' data. For example, changing /api/invoices/1234 to /api/invoices/1235 to view another customer's invoice. IDOR is fundamentally an authorization bypass — the application authenticates the user but fails to verify they are authorized to access the specific resource.
Authentication and Session Vulnerabilities
Cross-Site Request Forgery (CSRF / XSRF)
CSRF is a vulnerability that forces an authenticated user's browser to submit an unwanted request to a web application where the user is currently authenticated. If a user is logged into their bank and visits a malicious page, that page can contain a hidden form that submits a funds transfer request to the bank — and the browser automatically includes the user's session cookies. CSRF tokens (unique per-session, per-form tokens) and SameSite cookie attributes are the primary defenses.
Broken Authentication
Broken authentication is a category of vulnerabilities that allow attackers to bypass or compromise authentication mechanisms. This includes weak password policies, exposed session tokens, missing multi-factor authentication, predictable session IDs, and improper session invalidation after logout. Brute force attacks and credential stuffing exploit broken authentication controls.
Session Fixation
Session fixation is an attack where the attacker sets (fixes) a user's session ID before they authenticate. The attacker obtains a valid session ID from the application, tricks the victim into authenticating with that session ID, and then uses the same session ID to access the authenticated session. The defense is to always regenerate the session ID after successful authentication.
Configuration and Design Vulnerabilities
Security Misconfiguration
Security misconfiguration refers to insecure default settings, incomplete configurations, open cloud storage buckets, unnecessary enabled features, verbose error messages that reveal stack traces, or missing security headers. It is consistently one of the most common vulnerability categories because it affects every layer of the stack — web servers, application frameworks, databases, cloud services, and network devices. See our guides on security headers and configuring security headers for practical hardening steps.
Sensitive Data Exposure
Sensitive data exposure occurs when an application fails to adequately protect sensitive information — personally identifiable information (PII), financial data, health records, or credentials. This can result from transmitting data over unencrypted channels (HTTP instead of HTTPS), storing passwords in plaintext or with weak hashing algorithms, exposing sensitive data in URLs or error messages, or failing to mask data in logs.
Protect Against Vulnerabilities
Understanding vulnerability terminology is the first step toward building a resilient security posture. Many of these vulnerabilities — SQL injection, XSS, SSRF, file inclusion, and authentication flaws — can be detected and blocked at the application edge with a properly configured web application firewall. Combined with a CDN for DDoS protection and performance, NOC.org provides comprehensive defense for your web applications. Explore NOC.org's pricing plans to secure your infrastructure.
Get
Started