CWE-668
Exposure of Resource to Wrong Sphere
Description
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Hierarchy (View 1000)
CVEs mapped to this weakness (268)
page 5 of 14| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41368 | Med | 0.35 | 6.5 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be… | ||
| CVE-2026-35658 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject. | ||
| CVE-2026-34538 | Med | 0.35 | 6.5 | 0.01 | Apr 9, 2026 | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with… | ||
| CVE-2025-49574 | Med | 0.35 | 6.4 | 0.00 | Jun 23, 2025 | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement… | ||
| CVE-2023-7014 | Med | 0.35 | 5.3 | 0.01 | Feb 5, 2024 | The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract… | ||
| CVE-2021-22897 | Med | 0.35 | 5.3 | 0.03 | Jun 11, 2021 | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library,… | ||
| CVE-2018-7479 | Med | 0.35 | 5.3 | 0.02 | Feb 26, 2018 | YzmCMS 3.6 allows remote attackers to discover the full path via a direct request to application/install/templates/s1.php. | ||
| CVE-2018-6880 | Med | 0.35 | 5.3 | 0.02 | Feb 12, 2018 | EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full path via an array value for a parameter to class/connect.php. | ||
| CVE-2017-12363 | Med | 0.35 | 5.3 | 0.02 | Nov 30, 2017 | A vulnerability in Cisco WebEx Meeting Server could allow an unauthenticated, remote attacker to modify the welcome message of a meeting on an affected system. The vulnerability is due to insufficient security settings on meetings. An attacker could exploit this vulnerability by… | ||
| CVE-2017-7490 | Med | 0.35 | 5.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. | ||
| CVE-2016-5334 | Med | 0.35 | 5.3 | 0.02 | Dec 29, 2016 | VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors. | ||
| CVE-2025-6788 | — | Med | 0.34 | — | 0.00 | Jul 11, 2025 | A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams. | |
| CVE-2023-23448 | Med | 0.34 | 5.3 | 0.01 | May 15, 2023 | Inclusion of Sensitive Information in Source Code in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to gain information about valid usernames via analysis of source code. | ||
| CVE-2026-34765 | Med | 0.32 | 6.0 | 0.00 | Apr 7, 2026 | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the… | ||
| CVE-2026-42424 | Med | 0.30 | 5.7 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as… | ||
| CVE-2026-2297 | Med | 0.30 | — | 0.00 | Mar 4, 2026 | The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. | ||
| CVE-2017-8171 | Med | 0.30 | 4.6 | 0.00 | Nov 22, 2017 | Huawei smart phones with software earlier than Vicky-AL00AC00B172D versions have a Factory Reset Protection (FRP) bypass security vulnerability. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can login the Talkback mode and… | ||
| CVE-2017-8161 | Med | 0.30 | 4.6 | 0.00 | Nov 22, 2017 | EVA-L09 smartphones with software Earlier than EVA-L09C25B150CUSTC25D003 versions,Earlier than EVA-L09C440B140 versions,Earlier than EVA-L09C464B361 versions,Earlier than EVA-L09C675B320CUSTC675D004 versions have Factory Reset Protection (FRP) bypass security vulnerability. When… | ||
| CVE-2026-42875 | Med | 0.27 | — | 0.00 | May 11, 2026 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when… | ||
| CVE-2026-48096 | Med | 0.26 | 5.0 | 0.00 | Jun 10, 2026 | OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has… |
- risk 0.35cvss 6.5epss 0.00
OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be…
- risk 0.35cvss 6.5epss 0.00
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.
- risk 0.35cvss 6.5epss 0.01
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with…
- risk 0.35cvss 6.4epss 0.00
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement…
- risk 0.35cvss 5.3epss 0.01
The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract…
- risk 0.35cvss 5.3epss 0.03
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library,…
- risk 0.35cvss 5.3epss 0.02
YzmCMS 3.6 allows remote attackers to discover the full path via a direct request to application/install/templates/s1.php.
- risk 0.35cvss 5.3epss 0.02
EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full path via an array value for a parameter to class/connect.php.
- risk 0.35cvss 5.3epss 0.02
A vulnerability in Cisco WebEx Meeting Server could allow an unauthenticated, remote attacker to modify the welcome message of a meeting on an affected system. The vulnerability is due to insufficient security settings on meetings. An attacker could exploit this vulnerability by…
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
- risk 0.35cvss 5.3epss 0.02
VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.
- risk 0.34cvss —epss 0.00
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams.
- risk 0.34cvss 5.3epss 0.01
Inclusion of Sensitive Information in Source Code in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to gain information about valid usernames via analysis of source code.
- risk 0.32cvss 6.0epss 0.00
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the…
- risk 0.30cvss 5.7epss 0.00
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as…
- risk 0.30cvss —epss 0.00
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
- risk 0.30cvss 4.6epss 0.00
Huawei smart phones with software earlier than Vicky-AL00AC00B172D versions have a Factory Reset Protection (FRP) bypass security vulnerability. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can login the Talkback mode and…
- risk 0.30cvss 4.6epss 0.00
EVA-L09 smartphones with software Earlier than EVA-L09C25B150CUSTC25D003 versions,Earlier than EVA-L09C440B140 versions,Earlier than EVA-L09C464B361 versions,Earlier than EVA-L09C675B320CUSTC675D004 versions have Factory Reset Protection (FRP) bypass security vulnerability. When…
- risk 0.27cvss —epss 0.00
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when…
- risk 0.26cvss 5.0epss 0.00
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has…