● internal · component reference
@vulntrace/ui
The shared design system. Every token and component used across the marketing site, Workspace, and Companion. The landing page lives at /.
v0.115 components
Buttons
Badges & state
9.8CRITICAL8.5HIGH5.0MEDIUM2.1LOWarchetype GPASSinconclusive
DiscoveredPoC readyValidatedDisclosure readySubmitted
Confidence meter
86CONFIRMED
S2 source controllable
S3 sanitizer absent
S5 boundary crossed
S8 PoC present
The lock (the gate)
Report generation unlocked
Phase theatre
ReconArchitectureIntentAdvisoriesAttack surfaceDeep analysisValidationReport
tokens 41k · candidates 5
Finding cards
finding
Submitted9.8CRITICAL
Empty-username SFTP → auth bypass
goshs · CVE-2026-40884
sourcessh.ServerConn{User:""}
sinkPasswordCallback() ⇒ ok
↳ blank username skips the credential check
archetype Gadvisory_scope: public_only
finding
Validated8.5HIGH
FTP listener ignores --upload-only
goshs
sourceftpserver.go:101 AuthUser
sinkRETR / LIST / DELE served
↳ no UploadOnly branch → full filesystem
archetype Gadvisory_scope: public_only
finding
PoC ready9.1CRITICAL
Unauth WebSocket → session hijack
PraisonAI · CVE-2026-40289
sourcews.message.sessionId
sinksessions[id].send()
↳ Origin checked, identity is not
archetype Hadvisory_scope: public_only
Source → sink / code / pairing
sourcePOST /?delete=
sinkos.RemoveAll(path)
↳ ACL enforced on read, not on write
in claude code
/plugin marketplace add vulntraceio/vulntrace
/plugin install vulntrace@vulntraceany os
$ npx vulntraceai@latestStats
0accepted bugs
0critical
0projects
Headings
The archetypes
Eleven shapes that convert.
Each disclosure sharpens the method. Same tool, sharper edge.