Snyk API & Web sets a severity level for each finding to sum up its overall risk based on the following:
The likelihood of the vulnerability being found and exploited.
The skills required to exploit the vulnerability.
And the impact of exploiting the vulnerability.
For example, a vulnerability that is easy to find, easy to exploit, and with a high impact will likely be classified with a high severity.
Different findings for the same vulnerability can have different severity levels depending on the context in which Snyk API & Web finds the vulnerabilities. Multiple factors can influence this context, which Snyk API & Web takes into consideration to lower or raise the severity level. For example, the severity of a finding can be higher or lower depending on whether the scanned website or application has authentication.
The following table describes the different severity levels:
Severity | Description | Examples |
| These findings may have a direct impact on the application security, either clients or service owners, for instance, by granting the attacker access to sensitive information. | - SQL Injection - OS Command Injection |
| Medium findings don't usually have an immediate impact alone, but combined with other findings, may lead to a successful compromise of the application. | - Cross-site Request Forgery - Unencrypted Communications |
| Findings where either the exploit is not trivial, or the finding cannot be exploited by itself. | - Directory Listing - Clickjacking |
To learn more about findings, read this article on how to interpret target scan results.