0.9.011210.2 MB
MIT
strict
Unknown
VulnAPI: An API Security Vulnerability Scanner
VulnAPI is an open-source project designed to help you scan your APIs for common security vulnerabilities and weaknesses. By using this tool, you can detect that some API potential vulnerabilities and fix security issues.
Documentation is available at this link : https://vulnapi.cerberauth.com/docs
You can test the scanner against example Vulnerability challenges : https://github.com/cerberauth/api-vulns-challenges.
The scanner is capable of detecting the following vulnerabilities:
The scanner also detects the following security best practices:
The scanner perform some discoverability scans:
The CLI provides detailed reports on any vulnerabilities and missing best practices detected during the scan.
Documentation is available at this link : https://vulnapi.cerberauth.com/docs
You can test the scanner against example Vulnerability challenges : https://github.com/cerberauth/api-vulns-challenges.
The scanner is capable of detecting the following vulnerabilities:
- JWT
nonealgorithm accepted - JWT not verified
- JWT weak secret used
- JWT null signature accepted
The scanner also detects the following security best practices:
- CSP Header is not set
- HSTS Header is not set
- CORS Header is not set
- X-Content-Type-Options Header is not set
- X-Frame-Options Header is not set
- HTTP Trace Method enabled
- HTTP Cookies not marked as secure, httpOnly, or SameSite
The scanner perform some discoverability scans:
- Server Signature exposed
- Discovery of API endpoints using OpenAPI contracts
- GraphQL Introspection enabled
The CLI provides detailed reports on any vulnerabilities and missing best practices detected during the scan.
Update History
0.8.10 (108) → 0.9.0 (112)14 Apr 2026, 23:00 UTC
0.8.10 (108)13 Dec 2025, 09:47 UTC
11 Oct 2023, 22:02 UTC
14 Apr 2026, 22:55 UTC
13 Dec 2025, 09:47 UTC