What are common vulnerabilities in Claude code?

While Claude produces fewer raw vulnerability instances than some competitors, it still commonly generates code with missing rate limiting, overly permissive CORS configurations, incomplete error handling that leaks internal details, and insufficient Content Security Policy headers. Claude-generated authentication code may lack brute-force protection or proper session invalidation on logout. The model sometimes generates overly complex solutions that introduce unnecessary attack surface when simpler, more secure alternatives exist. Server-side request forgery protections are frequently absent in code that fetches external URLs. UNPWNED detects these patterns by scanning the live application for real exploitable weaknesses.