CWE-749
Exposed Dangerous Method or Function
BaseIncompleteLikelihood: Low
Description
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-500
CVEs mapped to this weakness (20)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2010-1428 | Hig | 0.75 | 7.5 | 0.68 | KEV | Apr 28, 2010 | The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method. |
| CVE-2022-31491 | Cri | 0.65 | 10.0 | 0.00 | Aug 22, 2025 | Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web interface related to detection of a managed UPS shutting down. An unauthenticated attacker can use this to run arbitrary code immediately regardless of any managed UPS state or presence. | |
| CVE-2010-0738 | Med | 0.63 | 5.3 | 0.92 | KEV | Apr 28, 2010 | The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. |
| CVE-2006-1547 | Hig | 0.63 | 7.5 | 0.22 | KEV | Mar 30, 2006 | ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. |
| CVE-2026-2275 | Cri | 0.62 | 9.6 | 0.00 | Mar 30, 2026 | The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling. | |
| CVE-2026-22208 | Cri | 0.62 | 9.6 | 0.00 | Feb 17, 2026 | OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart. | |
| CVE-2026-5173 | Hig | 0.55 | 8.5 | 0.00 | Apr 8, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control. | |
| CVE-2025-34114 | Hig | 0.55 | — | 0.00 | Jul 25, 2025 | A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML <meta> tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources. | |
| CVE-2024-12651 | Hig | 0.55 | 8.5 | 0.00 | Feb 14, 2025 | Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0. | |
| CVE-2026-35488 | Hig | 0.53 | 8.1 | 0.00 | Apr 7, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4. | |
| CVE-2024-6689 | Hig | 0.51 | 7.8 | 0.00 | Jul 15, 2024 | Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM. | |
| CVE-2026-28400 | Hig | 0.49 | 7.5 | 0.00 | Feb 27, 2026 | Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable. | |
| CVE-2025-24359 | Hig | 0.48 | 8.4 | 0.00 | Jan 24, 2025 | ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue. | |
| CVE-2025-43003 | Med | 0.42 | 6.4 | 0.00 | May 13, 2025 | SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application. | |
| CVE-2025-9611 | Hig | 0.40 | — | 0.00 | Jan 7, 2026 | Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints. | |
| CVE-2025-48415 | Med | 0.40 | 6.2 | 0.00 | May 21, 2025 | A USB backdoor feature can be triggered by attaching a USB drive that contains specially crafted "salia.ini" files. The .ini file can contain several "commands" that could be exploited by an attacker to export or modify the device configuration, enable an SSH backdoor or perform other administrative actions. Ultimately, this backdoor also allows arbitrary execution of OS commands. | |
| CVE-2026-25266 | Med | 0.36 | 5.5 | 0.00 | May 4, 2026 | Memory corruption while processing IOCTL command when device is in power-save state. | |
| CVE-2025-24361 | Med | 0.27 | 5.3 | 0.00 | Jan 25, 2025 | Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue. | |
| CVE-2024-51992 | Med | 0.20 | 4.1 | 0.00 | Nov 11, 2024 | Orchid is a @laravel package that allows for rapid application development of back-office applications, admin/user panels, and dashboards. This vulnerability is a method exposure issue (CWE-749: Exposed Dangerous Method or Function) in the Orchid Platform’s asynchronous modal functionality, affecting users of Orchid Platform version 8 through 14.42.x. Attackers could exploit this vulnerability to call arbitrary methods within the `Screen` class, leading to potential brute force of database tables, validation checks against user credentials, and disclosure of the server’s real IP address. The issue has been patched in the latest release, version 14.43.0, released on November 6, 2024. Users should upgrade to version 14.43.0 or later to address this vulnerability. If upgrading to version 14.43.0 is not immediately possible, users can mitigate the vulnerability by implementing middleware to intercept and validate requests to asynchronous modal endpoints, allowing only approved methods and parameters. | |
| CVE-2014-0758 | 0.00 | — | 0.01 | Feb 24, 2014 | An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8.04, and 8.05 allows remote attackers to execute arbitrary programs via a crafted HTML document. |