VYPR

CWE-749

Exposed Dangerous Method or Function

BaseIncompleteLikelihood: Low

Description

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-500

CVEs mapped to this weakness (65)

page 3 of 4
  • CVE-2026-6402MedMay 12, 2026
    risk 0.27cvss 5.3epss 0.00

    webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers…

  • CVE-2025-24361MedJan 25, 2025
    risk 0.27cvss 5.3epss 0.00

    Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request…

  • CVE-2024-51992MedNov 11, 2024
    risk 0.20cvss 4.1epss 0.00

    Orchid is a @laravel package that allows for rapid application development of back-office applications, admin/user panels, and dashboards. This vulnerability is a method exposure issue (CWE-749: Exposed Dangerous Method or Function) in the Orchid Platform’s asynchronous modal…

  • CVE-2026-30957Mar 10, 2026
    risk 0.00cvss epss 0.01

    OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic…

  • CVE-2026-30921Mar 9, 2026
    risk 0.00cvss epss 0.00

    OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted…

  • CVE-2026-26190Feb 13, 2026
    risk 0.00cvss epss 0.28

    Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from…

  • CVE-2026-22812Jan 12, 2026
    risk 0.00cvss epss 0.17

    OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is…

  • CVE-2025-68697Dec 26, 2025
    risk 0.00cvss epss 0.00

    n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from…

  • CVE-2025-64443Dec 3, 2025
    risk 0.00cvss epss 0.00

    MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a…

  • CVE-2025-30359Jun 3, 2025
    risk 0.00cvss epss 0.00

    webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not…

  • CVE-2024-6863Mar 20, 2025
    risk 0.00cvss epss 0.00

    In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it…

  • CVE-2024-55893Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55894Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55920Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55921Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55922Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55923Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55924Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-55945Jan 14, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing…

  • CVE-2024-27444Feb 26, 2024
    risk 0.00cvss epss 0.01

    langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute…