VYPR

CWE-693

Protection Mechanism Failure

PillarDraft

Description

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-107 · CAPEC-127 · CAPEC-17 · CAPEC-20 · CAPEC-22 · CAPEC-237 · CAPEC-36 · CAPEC-477 · CAPEC-480 · CAPEC-51 · CAPEC-57 · CAPEC-59 · CAPEC-65 · CAPEC-668 · CAPEC-74 · CAPEC-87

CVEs mapped to this weakness (353)

page 2 of 18
  • CVE-2023-33150CriJul 11, 2023
    risk 0.62cvss 9.6epss 0.02

    Microsoft Office Security Feature Bypass Vulnerability

  • CVE-2025-3114CriApr 9, 2025
    risk 0.61cvss epss 0.00

    Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows…

  • CVE-2026-44451CriMay 26, 2026
    risk 0.60cvss 9.3epss 0.00

    Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator…

  • CVE-2026-12316CriJun 16, 2026
    risk 0.59cvss 9.1epss 0.00

    Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12315CriJun 16, 2026
    risk 0.59cvss 9.1epss 0.00

    Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2025-15618CriMar 31, 2026
    risk 0.59cvss 9.1epss 0.00

    Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic…

  • CVE-2026-21671CriMar 12, 2026
    risk 0.59cvss 9.1epss 0.01

    A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

  • CVE-2025-43273CriJul 30, 2025
    risk 0.59cvss 9.1epss 0.01

    A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.8. A sandboxed process may be able to circumvent sandbox restrictions.

  • CVE-2025-6427CriJun 24, 2025
    risk 0.59cvss 9.1epss 0.00

    An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

  • CVE-2024-25091CriMar 1, 2024
    risk 0.59cvss 9.1epss 0.00

    Protection mechanism failure issue exists in RevoWorks SCVX prior to scvimage4.10.21_1013 (when using 'VirusChecker' or 'ThreatChecker' feature) and RevoWorks Browser prior to 2.2.95 (when using 'VirusChecker' or 'ThreatChecker' feature). If data containing malware is saved in…

  • CVE-2026-47140CriJun 12, 2026
    risk 0.58cvss 10.0epss 0.01

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed…

  • CVE-2017-10952HigAug 29, 2017
    risk 0.58cvss 8.8epss 0.07

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.0.2051. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw…

  • CVE-2025-24284HigJun 11, 2026
    risk 0.57cvss 8.8epss 0.00

    This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Sequoia 15.4. An app may be able to break out of its sandbox.

  • CVE-2026-50564CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the…

  • CVE-2026-50545CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec…

  • CVE-2026-11248HigJun 5, 2026
    risk 0.57cvss 8.8epss 0.00

    Inappropriate implementation in Google Lens in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-45697CriMay 29, 2026
    risk 0.57cvss 9.8epss 0.00

    Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the…

  • CVE-2026-26956CriMay 4, 2026
    risk 0.57cvss 9.8epss 0.01

    vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in…

  • CVE-2026-26332CriMay 4, 2026
    risk 0.57cvss 9.8epss 0.01

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

  • CVE-2026-24781CriMay 4, 2026
    risk 0.57cvss 9.8epss 0.01

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.…