Critical
API
Chained IDOR + auth bypass
Predictable resource IDs combined with weak session validation enabling cross-tenant data access in payments APIs.
Threat library
What we find in the wild
A growing catalogue of real vulnerabilities discovered across recent Sentryx engagements — sanitised, categorised, and mapped to defensive controls.
Critical
Smart Contract
Oracle manipulation via flash loan
Single-source price feeds in lending vaults allow attackers to drain liquidity within one transaction.
High
Cloud
IAM privilege escalation via PassRole
Over-broad iam:PassRole on Lambda execution roles letting low-priv users assume admin paths.
High
Web
OAuth state parameter omission
Missing CSRF protection on social login callbacks enabling account takeover via crafted redirects.
Medium
Mobile
Insecure deeplink handlers
Unvalidated deeplink intents triggering authenticated actions without user confirmation.
Medium
DevSecOps
Secrets in CI artifacts
Build logs and cached layers leaking API keys despite secret-scanning at commit time.
Want the full library?
Subscribe to the Threat Brief or request a tailored briefing for your stack.
Request briefing