| f-001 | SQL injection in /login (online.keensafeglobalbank.com) |
internet-banking |
critical |
open | 2026-04-22 |
| f-002 | BOLA / IDOR in /api/v1/accounts/{id} |
public-api |
high |
open | 2026-04-23 |
| f-003 | SSRF in /api/v1/fetch |
public-api |
high |
open | 2026-04-24 |
| f-004 | Stealer-log credential reused on /admin/login |
admin-panel |
critical |
open | 2026-04-22 |
| f-005 | Weak JWT — alg=none accepted |
internet-banking |
high |
open | 2026-04-25 |
| f-006 | Path traversal in /files/download and /api/v1/export |
internet-banking + public-api |
high |
open | 2026-04-25 |
| f-007 | Stored XSS in admin notes and support comments |
admin-panel + support-portal |
medium |
open | 2026-04-23 |
| f-008 | Mass assignment — PUT /api/v1/users/{id} accepts role |
public-api |
high |
open | 2026-04-24 |
| f-009 | Wide-open CORS on api.keensafeglobalbank.com |
public-api |
medium |
open | 2026-04-23 |
| f-010 | Sensitive backup zip exposed at /backup/ |
corporate-web |
high |
open | 2026-04-21 |
| f-011 | Prompt injection / system-prompt leakage on chatbot |
llm-chatbot |
high |
open | 2026-04-26 |
| f-012 | Hard-coded admin / admin123 + MFA accepts 0000 |
admin-panel |
critical |
open | 2026-04-21 |
| f-013 | Audit log tampering — DELETE /audit-logs/{id} |
admin-panel |
high |
open | 2026-04-22 |
| f-014 | GDPR / KVKK over-disclosure — customer records via /customer-lookup |
support-portal |
high |
open | 2026-04-23 |
| f-015 | Leaked AWS keys in build logs (Jenkins) and SDK samples |
jenkins + developer-portal |
high |
open | 2026-04-24 |