VYPR

CWE-668

Exposure of Resource to Wrong Sphere

ClassDraft

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Hierarchy (View 1000)

CVEs mapped to this weakness (268)

page 7 of 14
  • CVE-2026-29093Mar 6, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached…

  • CVE-2025-68467Mar 4, 2026
    risk 0.00cvss epss 0.00

    Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. In order to analyze cross-origin style sheets (stored on websites…

  • CVE-2026-26057Feb 19, 2026
    risk 0.00cvss epss 0.00

    Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either…

  • CVE-2026-25725Feb 6, 2026
    risk 0.00cvss epss 0.00

    Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and…

  • CVE-2025-61917Feb 4, 2026
    risk 0.00cvss epss 0.00

    n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual…

  • CVE-2026-25253Feb 1, 2026
    risk 0.00cvss epss 0.08

    OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

  • CVE-2026-24473Jan 27, 2026
    risk 0.00cvss epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the…

  • CVE-2025-32783Apr 16, 2025
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that…

  • CVE-2024-27137Feb 4, 2025
    risk 0.00cvss epss 0.00

    In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The…

  • CVE-2024-22281Aug 20, 2024
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front (UI): all versions. As this project is retired, we do not…

  • CVE-2024-35199Jul 18, 2024
    risk 0.00cvss epss 0.01

    TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound…

  • CVE-2024-5154Jun 12, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

  • CVE-2024-32473Apr 18, 2024
    risk 0.00cvss epss 0.00

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An…

  • CVE-2024-29905Apr 9, 2024
    risk 0.00cvss epss 0.00

    DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This…

  • CVE-2024-27906Feb 29, 2024
    risk 0.00cvss epss 0.00

    Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to…

  • CVE-2024-21626Jan 31, 2024
    risk 0.00cvss epss 0.18

    runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the…

  • CVE-2023-48291Dec 21, 2023
    risk 0.00cvss epss 0.02

    Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus,…

  • CVE-2023-5545Nov 9, 2023
    risk 0.00cvss epss 0.01

    H5P metadata automatically populated the author with the user's username, which could be sensitive information.

  • CVE-2023-5542Nov 9, 2023
    risk 0.00cvss epss 0.00

    Students in "Only see own membership" groups could see other students in the group, which should be hidden.

  • CVE-2023-37911Oct 25, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the…