<!--
SPDX-License-Identifier: CC-BY-4.0
Copyright (c) 2024-2026 Acme Corp.
-->
# Acme Demo App
Synthetic application used for CuratorPro customer demos. Not for production.
## Stack
- Frontend: React 18 + TypeScript
- Backend: Node.js / Express
- Vendored: log4j (Java), jQuery, lodash, OpenSSL, MySQL Connector
## Known issues (intentional — demo fixtures)
These are *deliberately* present to give the audit walkthrough something
to find. Do not "fix" them in this fixture.
- `src/components/Comment.tsx:23` — `dangerouslySetInnerHTML` on unsanitised input
- `src/utils/auth.js:12` — hardcoded fallback admin password
- `server/routes/api.js:45` — SQL concatenation
- `server/config/database.js:5` — credentials in source
- `lib/crypto.js:8` — `Math.random` for security tokens
- `lib/legacy.js:18` — MD5 for password hashing
## Known vulnerable dependencies
- `org.apache.logging.log4j:log4j-core:2.14.1` — Log4Shell (CVE-2021-44228)
- `lodash:4.17.20` — CVE-2021-23337
- `jquery:3.3.1` — CVE-2019-11358
- and more — full list in CuratorPro