> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerabilities

> Security vulnerabilities across secrets, code, and dependencies.

## Overview

Vulnerabilities are security issues detected by Cysmiq. Each vulnerability has a type, severity, status, and supporting context. Scans produce vulnerability candidates that move through triage, confirmation, and remediation.

## Types

* **Secrets**: Leaked credentials, API keys, and tokens
* **Code**: Vulnerabilities in source code
* **Dependencies**: Vulnerable packages flagged by advisory databases such as [CVE](https://cve.mitre.org/) and [GHSA](https://github.com/advisories)

## Triage and confirmation

Scans surface vulnerability candidates. Cysmiq provides type-specific signals to confirm and prioritize them, including indicators of validity or reachability when available.

* **Secrets**: For supported providers, Cysmiq can verify whether a secret is still active. Other detections can be validated with LLM-based checks to reduce false positives
* **Code**: Call chain analysis can provide additional context about how vulnerable code paths are reached
* **Dependencies**: Reachability analysis is in development to show whether a vulnerable package is exercised

Some vulnerability types include additional fields, such as exploitable status. These are covered in the scan details for each type.

See [Secrets scans](/scanning/secrets), [Code scans](/scanning/code), and [Dependency scans](/scanning/dependencies) for type-specific details.

## Severity

Vulnerabilities are assigned a severity level based on potential impact:

* **Critical**: Severe risk requiring immediate action
* **High**: Significant risk, prioritize remediation
* **Medium**: Moderate risk, address in normal workflow
* **Low**: Minor risk, fix when convenient

## Status and lifecycle

Vulnerabilities move through statuses as they are triaged and remediated:

* **Active statuses**: Open, Confirmed, Needs Review, In Progress, In Review
* **Final statuses**: Resolved, Closed

Status changes happen through scan results and user actions. Type-specific behavior is covered in the scan details for each vulnerability type.

See [Vulnerability lifecycle](/vulnerability-management/lifecycle) for the full status and resolution reference.

## Impacts

Each vulnerability is tagged with an impact that describes its real-world consequence. Impacts help prioritize by business risk rather than just technical severity.

Common impacts include:

* **Execute Commands**: remote code execution
* **Takeover Accounts**: session hijacking, auth bypass
* **Access Data**: SQL injection, data disclosure
* **Obtain Secrets**: hardcoded credentials

See [Impacts](/concepts/impacts) for the full list and [Impact Reference](/reference/impacts) for detailed CWE mappings.

## Related concepts

* [Impacts](/concepts/impacts): business-focused risk categories
* [Scans](/concepts/scans): how vulnerabilities are detected

## Related docs

* [Vulnerability detail view](/vulnerability-management/vulnerability-detail-view)
* [Vulnerability lifecycle](/vulnerability-management/lifecycle)
