CVEs for reachability
Last updated: Jun 3, 2026
Fluid Attacks informs of the reachability status at the following levels:
- Latent: (a) A vulnerable dependency is declared in the package manager, but (b) no file imports the dependency.
- Potential: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, but (c) the vulnerable function in the dependency is not called from the code.
- Reachable: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, and (c) the vulnerable function in the dependency is called from the code.
Below are two technical examples and an analogy for better comprehension:
Example in JS (Node.js):
package.json
{
"name": "demo-app",
"version": "1.0.0",
"dependencies": {
"vulnLib": "1.2.3"
}
}app.js
// LATENT: Library declared in package.json but not imported nor used
console.log("Hello world");
// POTENTIAL: Library imported but vulnerable function not used
import vulnLib from 'vulnLib',
console.log("Library loaded but dangerous function not used")
// REACHABLE: Library imported and vulnerable function is used
import vulnLib from 'vulnLib',
vulnLib.dangerousFunction(); // <- Risk activatedExample in Python
requirements.txt
vuln-lib==1.2.3
app.py
# LATENT: Library declared in requirements.txt but not imported nor used
print("Hello world")
# POTENTIAL: Library imported but vulnerable function not used
import vuln_lib
print("Library loaded but dangerous function not used")
# REACHABLE: Library imported and vulnerable function is used
import vuln_lib
vuln_lib.dangerousFunction() # <- Risk activated*`Analogy
-
Latent
- (a) The book is in the library (declared), but
- (b) you do not read any chapter (not imported).
-
Potential
- (a) The book is in the library (declared),
- (b) you start reading any chapter (imported), but
- (c) you do not read the faulty chapter.
-
Reachable
- (a) The book is in the library (declared),
- (b) you start reading any chapter (imported), and
(c) you read the faulty chapter and use it as a reference for your MBA thesis.
Supported
Latent and Potential
At the Latent and Potential levels, Fluid Attacks supports all CVEs (or other advisories) issued about vulnerable third-party dependencies or libraries in reliable vulnerability databases and written in all supported languages and package managers. See the list of sources in Vulnerability signature update.
Reachable
Currently, Fluid Attacks has methods to detect when software effectively calls known vulnerable functions reported in specific CVE entries/advisories. The complete and up-to-date list, classified by ecosystem, is available in Fluid Attacks' database.
Unsupported
Latent and Potential
At the Latent and Potential levels, Fluid Attacks' testing does not support CVEs/advisories outside its supported data sources and supported languages and packages.
Reachable
At the Reachable level, Fluid Attacks' analysis does not support any CVE/advisory corresponding to vulnerabilities in software libraries not listed in Fluid Attacks' database.
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Containers
Explore the containers supported by the Fluid Attacks scanner to detect vulnerabilities and secure your containerized applications.
Evidence formats
Discover the evidence formats provided by Fluid Attacks to deliver comprehensive and actionable security testing findings and proof of exploitation to clients.