Kotlin Mobile
Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.
This article covers Kotlin Mobile support and vulnerability detection for Mend SAST.
Mend SAST-supported Kotlin Mobile file types
File Type |
|---|
.kt |
.ktm |
.kts |
Mend SAST-supported Kotlin Mobile vulnerability types
The Kotlin Mobile vulnerability types detected by SAST are provided below and organized by CWE ID within each of their identified severities.
Kotlin Mobile high-severity vulnerability types
CWE | Vulnerability Type |
CWE-22 | Path/Directory Traversal |
CWE-73 | File Manipulation |
CWE-78 | Command Injection |
CWE-79 | Cross-Site Scripting |
CWE-89 | SQL Injection |
CWE-89 | External SQL Injection |
CWE-94 | Code Injection |
CWE-94 | Server Pages Execution |
CWE-94 | Arbitrary Code Injection |
CWE-502 | Deserialization of Untrusted Data |
CWE-643 | XPath Injection |
CWE-918 | Server-Side Request Forgery |
Kotlin Mobile medium-severity vulnerability types
CWE | Vulnerability Type |
CWE-90 | LDAP Injection |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor (location) |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor (Data Storage) |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor (Shared Preference ) |
CWE-209 | Log Messages Information Leak |
CWE-209 | Error Messages Information Exposure |
CWE-209 | Console Output |
CWE-244 | Heap Inspection |
CWE-295 | Man in the Middle Attack |
CWE-338 | Weak Pseudo-Random |
CWE-400 | Sleep Denial of Service |
CWE-400 | Regex Denial of Service (ReDoS) |
CWE-472 | Hidden HTML Input |
CWE-501 | Trust Boundary Violation |
CWE-611 | XML External Entity (XXE) Injection |
CWE-676 | Miscellaneous Dangerous Functions |
CWE-676 | External URL |
CWE-676 | Mobile Miscellaneous |
CWE-749 | WebView Exposure |
CWE-798 | Hardcoded Password/Credentials |
CWE-926 | Improper Export of Android Application Components (Intents) |
Kotlin Mobile low-severity vulnerability types
CWE | Vulnerability Type |
CWE-16 | Security Misconfiguration |
CWE-20 | Session Poisoning |
CWE-20 | System Properties Change |
CWE-20 | Mail Relay |
CWE-20 | Cookie Injection |
CWE-113 | HTTP Header Injection |
CWE-113 | HTTP Response Splitting |
CWE-117 | Log Forging |
CWE-326 | Weak Encryption Strength |
CWE-434 | File Upload |
CWE-497 | System Properties Disclosure |
CWE-530 | Dangerous File Extensions |
CWE-601 | Unvalidated/Open Redirect |
CWE-916 | Weak Hash Strength |
CWE-941 | Arbitrary Server Connection |
CWE-1004 | Cookie Without 'HttpOnly' Flag |