@zerothreatai/vulnerability-registry 3.0.0 → 5.0.0

package/src/categories/injection.ts

@@ -12,11 +12,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // SQL INJECTION
     // ========================================
     [VulnerabilityCode.SQLI_ERROR_BASED]: {
-        id: 1,
+        id: 300,
         code: VulnerabilityCode.SQLI_ERROR_BASED,
         title: 'SQL Injection - Error Based',
         description: 'Error-based SQL injection vulnerability detected where database error messages are reflected in the application response, allowing attackers to extract sensitive data from the database by manipulating SQL queries and analyzing error output.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'sql-injection',
         cvss: {
@@ -34,11 +35,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SQLI_BOOLEAN_BASED]: {
-        id: 2,
+        id: 301,
         code: VulnerabilityCode.SQLI_BOOLEAN_BASED,
         title: 'SQL Injection - Boolean Based Blind',
         description: 'Boolean-based blind SQL injection vulnerability where the application responds differently based on whether injected conditions evaluate to true or false, enabling attackers to infer database contents one bit at a time through systematic query manipulation.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'sql-injection',
         cvss: {
@@ -56,11 +58,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SQLI_TIME_BASED]: {
-        id: 3,
+        id: 302,
         code: VulnerabilityCode.SQLI_TIME_BASED,
         title: 'SQL Injection - Time Based Blind',
         description: 'Time-based blind SQL injection vulnerability where attackers can infer database contents by measuring response time differences caused by injected time delay functions like SLEEP() or WAITFOR, enabling complete database extraction through timing analysis.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'sql-injection',
         cvss: {
@@ -78,11 +81,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SQLI_STACK_BASED]: {
-        id: 4,
+        id: 303,
         code: VulnerabilityCode.SQLI_STACK_BASED,
         title: 'SQL Injection - Stacked Queries',
         description: 'Critical stacked queries SQL injection vulnerability allowing attackers to execute multiple SQL statements in a single query, enabling destructive operations like DROP TABLE, INSERT into admin tables, or creating backdoor accounts with full database control.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'sql-injection',
         cvss: {
@@ -100,11 +104,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SQLI_UNION_BASED]: {
-        id: 5,
+        id: 304,
         code: VulnerabilityCode.SQLI_UNION_BASED,
         title: 'SQL Injection - UNION Based',
         description: 'UNION-based SQL injection vulnerability allowing attackers to append additional SELECT queries using UNION operator, enabling direct extraction of data from other database tables including user credentials, personal information, and sensitive business data.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'sql-injection',
         cvss: {
@@ -125,11 +130,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // COMMAND INJECTION
     // ========================================
     [VulnerabilityCode.CMDI_OOB_CONFIRMED]: {
-        id: 6,
+        id: 305,
         code: VulnerabilityCode.CMDI_OOB_CONFIRMED,
         title: 'OS Command Injection - OOB Confirmed',
         description: 'Critical OS command injection vulnerability confirmed through out-of-band callback detection, proving that attacker-controlled shell commands are being executed on the server operating system with full access to system resources and potential for complete server compromise.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'command-injection',
         cvss: {
@@ -147,11 +153,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.CMDI_REFLECTED]: {
-        id: 7,
+        id: 306,
         code: VulnerabilityCode.CMDI_REFLECTED,
         title: 'OS Command Injection - Reflected Output',
         description: 'OS command injection vulnerability confirmed by command output being reflected in the application response, indicating that shell commands execute on the server and their results are returned to the attacker for data exfiltration and system reconnaissance.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'command-injection',
         cvss: {
@@ -169,11 +176,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.CMDI_TIME_BASED]: {
-        id: 8,
+        id: 307,
         code: VulnerabilityCode.CMDI_TIME_BASED,
         title: 'OS Command Injection - Time Based',
         description: 'Time-based OS command injection vulnerability detected through measurable response time delays caused by injected sleep or ping commands, strongly indicating that shell commands execute on the server even though output is not directly visible in responses.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'command-injection',
         cvss: {
@@ -191,11 +199,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.CMDI_ERROR_BASED]: {
-        id: 9,
+        id: 308,
         code: VulnerabilityCode.CMDI_ERROR_BASED,
         title: 'OS Command Injection - Error Based',
         description: 'Potential OS command injection vulnerability indicated by distinctive error messages or system-level exceptions in the application response when malformed shell payloads are submitted, suggesting command execution attempts reach the operating system interpreter.',
         severity: 'medium',
+        levelId: 3,
         category: 'injection',
         scanner: 'command-injection',
         cvss: {
@@ -216,11 +225,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // SERVER-SIDE TEMPLATE INJECTION
     // ========================================
     [VulnerabilityCode.SSTI_JINJA2]: {
-        id: 10,
+        id: 309,
         code: VulnerabilityCode.SSTI_JINJA2,
         title: 'Server-Side Template Injection - Jinja2',
         description: 'Critical server-side template injection vulnerability in Jinja2 (Python/Flask) where user input is processed as template code, enabling attackers to execute arbitrary Python code on the server through template expressions like {{config}} or {{request.application.__globals__}}.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -238,11 +248,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_TWIG]: {
-        id: 11,
+        id: 310,
         code: VulnerabilityCode.SSTI_TWIG,
         title: 'Server-Side Template Injection - Twig',
         description: 'Critical server-side template injection vulnerability in Twig (PHP/Symfony) where user input is evaluated as template expressions, allowing attackers to execute arbitrary PHP code on the server through filter chains and object method invocations within template syntax.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -260,11 +271,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_FREEMARKER]: {
-        id: 12,
+        id: 311,
         code: VulnerabilityCode.SSTI_FREEMARKER,
         title: 'Server-Side Template Injection - FreeMarker',
         description: 'Critical server-side template injection vulnerability in FreeMarker (Java) where user-controlled data is interpreted as template directives, enabling remote code execution through Java class instantiation and method invocation via FreeMarker built-in expressions.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -282,11 +294,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_GENERIC]: {
-        id: 13,
+        id: 312,
         code: VulnerabilityCode.SSTI_GENERIC,
         title: 'Server-Side Template Injection - Generic',
         description: 'Server-side template injection vulnerability detected where user input is being processed by a template engine, potentially allowing code execution. The specific template engine could not be determined, but mathematical expression evaluation confirms server-side processing of user input.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -304,11 +317,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_VELOCITY]: {
-        id: 14,
+        id: 313,
         code: VulnerabilityCode.SSTI_VELOCITY,
         title: 'Server-Side Template Injection - Velocity',
         description: 'Critical server-side template injection vulnerability in Apache Velocity (Java) where user-controlled data is processed as template directives, enabling arbitrary Java code execution through Velocity Template Language expressions and class instantiation.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -326,11 +340,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_THYMELEAF]: {
-        id: 15,
+        id: 314,
         code: VulnerabilityCode.SSTI_THYMELEAF,
         title: 'Server-Side Template Injection - Thymeleaf',
         description: 'Critical server-side template injection vulnerability in Thymeleaf (Spring/Java) where user input is processed as template expressions, enabling remote code execution through SpEL (Spring Expression Language) injection in template attributes.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -348,11 +363,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_ERB]: {
-        id: 16,
+        id: 315,
         code: VulnerabilityCode.SSTI_ERB,
         title: 'Server-Side Template Injection - ERB',
         description: 'Critical server-side template injection vulnerability in ERB (Ruby on Rails) where user input is embedded in ERB templates and executed as Ruby code, enabling arbitrary system command execution and complete server compromise through Ruby runtime access.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -370,11 +386,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_EJS]: {
-        id: 17,
+        id: 316,
         code: VulnerabilityCode.SSTI_EJS,
         title: 'Server-Side Template Injection - EJS',
         description: 'Critical server-side template injection vulnerability in EJS (Node.js) where user-controlled data is processed as template code, allowing arbitrary JavaScript execution on the server through embedded JavaScript expressions and access to Node.js runtime.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -392,11 +409,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_PUG]: {
-        id: 18,
+        id: 317,
         code: VulnerabilityCode.SSTI_PUG,
         title: 'Server-Side Template Injection - Pug/Jade',
         description: 'Critical server-side template injection vulnerability in Pug (formerly Jade, Node.js) where user input is interpreted as template syntax, enabling arbitrary JavaScript code execution through Pug embedded code blocks and access to server-side Node.js environment.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -414,11 +432,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_SMARTY]: {
-        id: 19,
+        id: 318,
         code: VulnerabilityCode.SSTI_SMARTY,
         title: 'Server-Side Template Injection - Smarty',
         description: 'Critical server-side template injection vulnerability in Smarty (PHP) where user input is processed as template code, enabling arbitrary PHP code execution through Smarty tags and function calls that can lead to complete server compromise.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -436,11 +455,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.SSTI_MAKO]: {
-        id: 20,
+        id: 319,
         code: VulnerabilityCode.SSTI_MAKO,
         title: 'Server-Side Template Injection - Mako',
         description: 'Critical server-side template injection vulnerability in Mako (Python) where user-controlled data is executed as template code, enabling arbitrary Python code execution through Mako expressions and full access to the Python runtime environment.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'ssti',
         cvss: {
@@ -461,11 +481,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // XXE (XML EXTERNAL ENTITY) - Additional
     // ========================================
     [VulnerabilityCode.XXE_ERROR_BASED]: {
-        id: 21,
+        id: 320,
         code: VulnerabilityCode.XXE_ERROR_BASED,
         title: 'XML External Entity Injection - Error Based',
         description: 'Error-based XXE vulnerability where file contents can be extracted through parser error messages by crafting malformed external entities that include file data in error output, enabling data exfiltration even when direct output is not reflected.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'xxe',
         cvss: {
@@ -483,11 +504,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.XXE_PARAMETER_ENTITY]: {
-        id: 22,
+        id: 321,
         code: VulnerabilityCode.XXE_PARAMETER_ENTITY,
         title: 'XML External Entity Injection - Parameter Entity',
         description: 'XXE vulnerability exploiting parameter entities in DTD declarations to exfiltrate data or perform SSRF attacks when regular external entities are blocked, by using percent-encoded entity references within the document type definition.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'xxe',
         cvss: {
@@ -508,11 +530,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // LOCAL FILE INCLUSION - Additional
     // ========================================
     [VulnerabilityCode.LFI_FILTER_BYPASS]: {
-        id: 23,
+        id: 322,
         code: VulnerabilityCode.LFI_FILTER_BYPASS,
         title: 'Local File Inclusion - Filter Bypass',
         description: 'Local file inclusion vulnerability that bypasses input validation filters through encoding tricks (URL encoding, double encoding, null bytes), alternate path separators, or case manipulation to access files despite security controls.',
         severity: 'high',
+        levelId: 2,
         category: 'file_inclusion',
         scanner: 'local-file-inclusion',
         cvss: {
@@ -530,11 +553,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.LFI_PROC_DISCLOSURE]: {
-        id: 24,
+        id: 323,
         code: VulnerabilityCode.LFI_PROC_DISCLOSURE,
         title: 'Local File Inclusion - Process Information Disclosure',
         description: 'LFI vulnerability enabling access to /proc filesystem on Linux systems, exposing process memory maps, environment variables with credentials, command line arguments, and other runtime information that can reveal secrets and aid further attacks.',
         severity: 'high',
+        levelId: 2,
         category: 'file_inclusion',
         scanner: 'local-file-inclusion',
         cvss: {
@@ -555,11 +579,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // XXE (XML EXTERNAL ENTITY)
     // ========================================
     [VulnerabilityCode.XXE_CLASSIC]: {
-        id: 25,
+        id: 324,
         code: VulnerabilityCode.XXE_CLASSIC,
         title: 'XML External Entity Injection - Classic',
         description: 'Classic XXE vulnerability where external XML entities are processed by the parser, allowing attackers to read local files like /etc/passwd or application configuration files by defining external entities that reference file:// protocol URIs in the XML document type definition.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'xxe',
         cvss: {
@@ -577,11 +602,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.XXE_BLIND]: {
-        id: 26,
+        id: 325,
         code: VulnerabilityCode.XXE_BLIND,
         title: 'XML External Entity Injection - Blind',
         description: 'Blind XXE vulnerability where external entities are processed but file contents are not directly returned in the response. Exploitation requires out-of-band techniques like error-based extraction or HTTP callbacks to exfiltrate data from the target server.',
         severity: 'high',
+        levelId: 2,
         category: 'injection',
         scanner: 'xxe',
         cvss: {
@@ -599,11 +625,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.XXE_OOB]: {
-        id: 27,
+        id: 326,
         code: VulnerabilityCode.XXE_OOB,
         title: 'XML External Entity Injection - Out-of-Band',
         description: 'Critical out-of-band XXE vulnerability confirmed through external HTTP/DNS callbacks, proving the XML parser fetches external resources. This enables data exfiltration through URL parameters and server-side request forgery attacks against internal network resources.',
         severity: 'critical',
+        levelId: 1,
         category: 'injection',
         scanner: 'xxe',
         cvss: {
@@ -625,11 +652,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     // LOCAL FILE INCLUSION
     // ========================================
     [VulnerabilityCode.LFI_PATH_TRAVERSAL]: {
-        id: 28,
+        id: 327,
         code: VulnerabilityCode.LFI_PATH_TRAVERSAL,
         title: 'Local File Inclusion - Path Traversal',
         description: 'Path traversal vulnerability allowing attackers to read arbitrary files on the server by manipulating file path parameters with directory traversal sequences like ../ to escape the intended directory and access sensitive system or application configuration files.',
         severity: 'high',
+        levelId: 2,
         category: 'file_inclusion',
         scanner: 'local-file-inclusion',
         cvss: {
@@ -648,11 +676,12 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
     },
 
     [VulnerabilityCode.LFI_SOURCE_DISCLOSURE]: {
-        id: 29,
+        id: 328,
         code: VulnerabilityCode.LFI_SOURCE_DISCLOSURE,
         title: 'Local File Inclusion - Source Code Disclosure',
         description: 'Critical source code disclosure vulnerability where application source files can be read through file inclusion, exposing proprietary code, hardcoded credentials, API keys, database connection strings, and security implementation details that facilitate further attacks.',
         severity: 'high',
+        levelId: 2,
         category: 'file_inclusion',
         scanner: 'local-file-inclusion',
         cvss: {
@@ -670,12 +699,13 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
         remediation: 'Use allowlist validation for file access. Store source files outside web root. Implement proper access controls on file reading functionality. Remove any debug endpoints that read files.',
     },
 
-    [VulnerabilityCode.LFI_WRAPPER_PROTOCOL]: {
-        id: 30,
-        code: VulnerabilityCode.LFI_WRAPPER_PROTOCOL,
-        title: 'Local File Inclusion - PHP Wrapper Protocol',
+    [VulnerabilityCode.LFI_WRAPPER_PROTOCOL]: {
+        id: 329,
+        code: VulnerabilityCode.LFI_WRAPPER_PROTOCOL,
+        title: 'Local File Inclusion - PHP Wrapper Protocol',
         description: 'PHP wrapper protocol exploitation where filter or data wrappers like php://filter or php://input can be used to read source files as base64, write arbitrary files, or achieve remote code execution through deserialization when phar:// wrapper is enabled.',
         severity: 'critical',
+        levelId: 1,
         category: 'file_inclusion',
         scanner: 'local-file-inclusion',
         cvss: {
@@ -689,97 +719,101 @@ export const INJECTION_VULNERABILITIES: Record<string, VulnerabilityDefinition>
         owasp: [
             { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
         ],
-        remediation: 'Disable allow_url_include and allow_url_fopen in PHP configuration. Filter and validate all file path inputs. Block protocol wrappers in user input. Use allowlist for file access.',
-    },
-
-    [VulnerabilityCode.XPATH_AUTH_BYPASS]: {
-        id: 136,
-        code: VulnerabilityCode.XPATH_AUTH_BYPASS,
-        title: 'XPath Injection - Authentication Bypass',
-        description: 'XPath injection vulnerability where crafted input manipulates XPath queries to bypass authentication or authorization checks, allowing attackers to log in as other users or access protected resources without valid credentials.',
-        severity: 'high',
-        category: 'injection',
-        scanner: 'xpath-injection',
-        cvss: {
-            score: 8.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
-        ],
-        owasp: [
-            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
-        ],
-        remediation: 'Use parameterized XPath queries or safe APIs that separate data from query logic. Validate and constrain user input for XPath contexts. Use allowlists and avoid dynamic XPath string concatenation.',
-    },
-
-    [VulnerabilityCode.XPATH_DATA_EXTRACTION]: {
-        id: 137,
-        code: VulnerabilityCode.XPATH_DATA_EXTRACTION,
-        title: 'XPath Injection - Data Extraction',
-        description: 'XPath injection vulnerability that allows attackers to read or enumerate sensitive XML data by manipulating query predicates, leading to disclosure of user data, configuration, or credentials stored in XML-backed systems.',
-        severity: 'high',
-        category: 'injection',
-        scanner: 'xpath-injection',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
-        ],
-        owasp: [
-            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
-        ],
-        remediation: 'Use safe XPath APIs with variables/bind parameters. Apply strict input validation and encoding for XPath contexts. Restrict accessible XML data and apply least-privilege access controls.',
-    },
-
-    [VulnerabilityCode.XPATH_BLIND]: {
-        id: 138,
-        code: VulnerabilityCode.XPATH_BLIND,
-        title: 'XPath Injection - Blind',
-        description: 'Blind XPath injection vulnerability where attackers infer query results through boolean or timing differences, enabling gradual extraction of sensitive XML data despite no direct response output.',
-        severity: 'medium',
-        category: 'injection',
-        scanner: 'xpath-injection',
-        cvss: {
-            score: 6.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
-        ],
-        owasp: [
-            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
-        ],
-        remediation: 'Use parameterized XPath queries and input validation. Normalize error and response behaviors to reduce side-channel differences. Apply rate limiting to limit inference attacks.',
-    },
-
-    [VulnerabilityCode.XPATH_ERROR_BASED]: {
-        id: 139,
-        code: VulnerabilityCode.XPATH_ERROR_BASED,
-        title: 'XPath Injection - Error Based',
-        description: 'XPath injection vulnerability where malformed input triggers verbose error messages that reveal query structure or XML data, enabling attackers to craft precise XPath exploits or extract sensitive information.',
-        severity: 'medium',
-        category: 'injection',
-        scanner: 'xpath-injection',
-        cvss: {
-            score: 5.9,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
-        ],
-        owasp: [
-            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
-        ],
-        remediation: 'Suppress detailed XPath error messages in production. Use safe XPath APIs and validation to prevent injection. Implement centralized error handling with generic responses.',
-    },
-};
+        remediation: 'Disable allow_url_include and allow_url_fopen in PHP configuration. Filter and validate all file path inputs. Block protocol wrappers in user input. Use allowlist for file access.',
+    },
+
+    [VulnerabilityCode.XPATH_AUTH_BYPASS]: {
+        id: 330,
+        code: VulnerabilityCode.XPATH_AUTH_BYPASS,
+        title: 'XPath Injection - Authentication Bypass',
+        description: 'XPath injection vulnerability where crafted input manipulates XPath queries to bypass authentication or authorization checks, allowing attackers to log in as other users or access protected resources without valid credentials.',
+        severity: 'high',
+        levelId: 2,
+        category: 'injection',
+        scanner: 'xpath-injection',
+        cvss: {
+            score: 8.1,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
+        ],
+        owasp: [
+            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
+        ],
+        remediation: 'Use parameterized XPath queries or safe APIs that separate data from query logic. Validate and constrain user input for XPath contexts. Use allowlists and avoid dynamic XPath string concatenation.',
+    },
+
+    [VulnerabilityCode.XPATH_DATA_EXTRACTION]: {
+        id: 331,
+        code: VulnerabilityCode.XPATH_DATA_EXTRACTION,
+        title: 'XPath Injection - Data Extraction',
+        description: 'XPath injection vulnerability that allows attackers to read or enumerate sensitive XML data by manipulating query predicates, leading to disclosure of user data, configuration, or credentials stored in XML-backed systems.',
+        severity: 'high',
+        levelId: 2,
+        category: 'injection',
+        scanner: 'xpath-injection',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
+        ],
+        owasp: [
+            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
+        ],
+        remediation: 'Use safe XPath APIs with variables/bind parameters. Apply strict input validation and encoding for XPath contexts. Restrict accessible XML data and apply least-privilege access controls.',
+    },
+
+    [VulnerabilityCode.XPATH_BLIND]: {
+        id: 332,
+        code: VulnerabilityCode.XPATH_BLIND,
+        title: 'XPath Injection - Blind',
+        description: 'Blind XPath injection vulnerability where attackers infer query results through boolean or timing differences, enabling gradual extraction of sensitive XML data despite no direct response output.',
+        severity: 'medium',
+        levelId: 3,
+        category: 'injection',
+        scanner: 'xpath-injection',
+        cvss: {
+            score: 6.1,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
+        ],
+        owasp: [
+            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
+        ],
+        remediation: 'Use parameterized XPath queries and input validation. Normalize error and response behaviors to reduce side-channel differences. Apply rate limiting to limit inference attacks.',
+    },
+
+    [VulnerabilityCode.XPATH_ERROR_BASED]: {
+        id: 333,
+        code: VulnerabilityCode.XPATH_ERROR_BASED,
+        title: 'XPath Injection - Error Based',
+        description: 'XPath injection vulnerability where malformed input triggers verbose error messages that reveal query structure or XML data, enabling attackers to craft precise XPath exploits or extract sensitive information.',
+        severity: 'medium',
+        levelId: 3,
+        category: 'injection',
+        scanner: 'xpath-injection',
+        cvss: {
+            score: 5.9,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-643', name: 'Improper Neutralization of XPath Expression', url: 'https://cwe.mitre.org/data/definitions/643.html' },
+        ],
+        owasp: [
+            { id: 'A03:2021', name: 'Injection', url: 'https://owasp.org/Top10/A03_2021-Injection/' },
+        ],
+        remediation: 'Suppress detailed XPath error messages in production. Use safe XPath APIs and validation to prevent injection. Implement centralized error handling with generic responses.',
+    },
+};
 
 export default INJECTION_VULNERABILITIES;