<!--
SPDX-License-Identifier: CC-BY-4.0
Copyright (c) 2024-2026 Acme Corp.
-->

# Acme Demo App

Synthetic application used for CuratorPro customer demos. Not for production.

## Stack

- Frontend: React 18 + TypeScript
- Backend: Node.js / Express
- Vendored: log4j (Java), jQuery, lodash, OpenSSL, MySQL Connector

## Known issues (intentional — demo fixtures)

These are *deliberately* present to give the audit walkthrough something
to find. Do not "fix" them in this fixture.

- `src/components/Comment.tsx:23` — `dangerouslySetInnerHTML` on unsanitised input
- `src/utils/auth.js:12` — hardcoded fallback admin password
- `server/routes/api.js:45` — SQL concatenation
- `server/config/database.js:5` — credentials in source
- `lib/crypto.js:8` — `Math.random` for security tokens
- `lib/legacy.js:18` — MD5 for password hashing

## Known vulnerable dependencies

- `org.apache.logging.log4j:log4j-core:2.14.1` — Log4Shell (CVE-2021-44228)
- `lodash:4.17.20` — CVE-2021-23337
- `jquery:3.3.1` — CVE-2019-11358
- and more — full list in CuratorPro
