This is the most common type of finding, where an actual vulnerability is found. This means the finding has an actual and concrete impact and is not a theoretical weakness or bad design. Usually it is accompanied by a Proof-of-Concept or in obvious cases with references to similar vulnerabilities.

Example: The application allows to render arbitrary user input in the frontend, which is a typical cross site scripting vulnerability.