Security Audit Report

SECURITY-AUDIT-2026-01-27.pdf

5 findingsScanned Jan 27, 2026

naga.ac

App Router

5High

Attack Surface

Routes

Query Params

Custom Headers

GET

/api/auth

GET

/api/early_access_features

?stage?token

POST

/api/orgs/[orgId]/logo

GET

/api/product_tours

?token

POST

/api/profile/avatar

POST

/api/uploads/avatar/presign

POST

/api/uploads/org-logo/presign

GET

/audio/speech

GET

/audio/transcriptions

GET

/auth/check-email

?type

GET

/auth/forgot-password

GET

/auth/redirect/[token]

GET

/auth/sign-in

?callbackUrl

GET

/auth/sign-up

?callbackUrl

GET

/chat

GET

/chat/completions

GET

/dashboard/account

GET

/dashboard/api-keys

GET

/dashboard/credits

GET

/dashboard/logs

GET

/dashboard/metrics

GET

/dashboard/organization

GET

/dashboard/referrals

GET

/embeddings

POST

/flags

?config?only_evaluate_survey_feature_flags?v

GET

/image

GET

/image-edits

GET

/images/edits

GET

/images/generations

GET

/models

GET

/models/[id]

GET

/models/[id]/activity

GET

/models/[id]/examples

GET

/models/[id]/performance

GET

/models/[id]/specifications

GET

/models/[id]/uptime

GET

/moderations

GET

/playground

GET

/project/[token]/person/[distinct_id]

GET

/speech-to-text

GET

/startups/[id]

GET

/text-to-speech

X-CSB-API-Version

X-XSRF-TOKEN

__next_hmr_refresh_hash__

_rsc

next-action

next-hmr-refresh

next-router-prefetch

next-router-segment-prefetch

next-router-state-tree

next-url

rsc

text/x-component

x-action-redirect

x-action-revalidated

x-captcha-response

x-deployment-id

x-forwarded-host

x-forwarded-proto

x-nextjs-action-not-found

x-nextjs-html-request-id

x-nextjs-postponed

x-nextjs-prerender

x-nextjs-request-id

x-nextjs-rewritten-path

x-nextjs-rewritten-query

x-nextjs-stale-time

Security Findings

5 findings redacted

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#1 of 5

HIGH

SQL injection risk detected

Database queries constructed using unsanitized user input.

#2 of 5

HIGH

Insecure deserialization

Untrusted data deserialized without validation.

#3 of 5

HIGH

Missing access control

Endpoints lack proper authorization checks.

#4 of 5

HIGH

Cross-site scripting vulnerability

User input rendered without proper sanitization.

#5 of 5

naga.ac

Attack Surface

Routes (42)

Custom Headers (26)

Security Findings

Cross-site scripting vulnerability

SQL injection risk detected

Insecure deserialization

Missing access control

Cross-site scripting vulnerability