VYPR

CWE-424

Improper Protection of Alternate Path

ClassDraft

Description

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-127 · CAPEC-554

CVEs mapped to this weakness (15)

  • CVE-2024-8781HigNov 18, 2024
    risk 0.57cvss epss 0.00

    Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) allows Privilege Escalation, -Privilege Abuse. This issue affects Application Security Platform (ASP): v1.4.25.188.

  • CVE-2023-52952HigOct 8, 2024
    risk 0.55cvss 8.5epss 0.00

    A vulnerability has been identified in HiMed Cockpit 12 pro (J31032-K2017-H259) (All versions >= V11.5.1 < V11.6.2), HiMed Cockpit 14 pro+ (J31032-K2017-H435) (All versions >= V11.5.1 < V11.6.2), HiMed Cockpit 18 pro (J31032-K2017-H260) (All versions >= V11.5.1 < V11.6.2), HiMed…

  • CVE-2026-0237HigMay 13, 2026
    risk 0.47cvss epss 0.00

    An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a locally authenticated non-admin user to leverage an exposed communication channel to send…

  • CVE-2025-49163MedJun 3, 2025
    risk 0.44cvss 6.7epss 0.00

    Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow booting an arbitrary image via a crafted /usr/bin/gunzip file.

  • CVE-2025-49162MedJun 3, 2025
    risk 0.42cvss 6.4epss 0.00

    Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow file overwrite via TFTP because a remote filename with a space character allows an attacker to control the local filename.

  • CVE-2026-4913MedApr 14, 2026
    risk 0.37cvss 5.7epss 0.01

    Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.

  • CVE-2026-4270MedMar 16, 2026
    risk 0.36cvss 5.5epss 0.00

    Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client…

  • CVE-2025-0113MedFeb 12, 2025
    risk 0.34cvss epss 0.00

    A problem with the network isolation mechanism of the Palo Alto Networks Cortex XDR Broker VM allows attackers unauthorized access to Docker containers from the host network used by Broker VM. This may allow access to read files sent for analysis and logs transmitted by the…

  • CVE-2025-46655MedApr 26, 2025
    risk 0.32cvss 4.9epss 0.00

    CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for…

  • CVE-2026-0268MedJun 10, 2026
    risk 0.29cvss epss 0.00

    A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.

  • CVE-2025-58079MedOct 16, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper Protection of Alternate Path (CWE-424) in the AppSuite of desknet's NEO V4.0R1.0 to V9.0R2.0 allows an attacker to create malicious AppSuite applications.

  • CVE-2024-3927MedMay 22, 2024
    risk 0.27cvss 5.3epss 0.00

    The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Form Submission Admin Email Bypass in all versions up to, and including, 5.6.3. This is due to the plugin not properly checking for…

  • CVE-2024-58136KEVApr 10, 2025
    risk 0.12cvss epss 0.88

    Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

  • CVE-2025-4617LowNov 14, 2025
    risk 0.07cvss epss 0.00

    An insufficient policy enforcement vulnerability in Palo Alto Networks Prisma® Browser on Windows allows a locally authenticated non-admin user to bypass the screenshot control feature of the browser. Browser self-protection should be enabled to mitigate this issue.

  • CVE-2025-68939Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.