Common Weakness Enumeration

CWE-669

Allowed-with-Review

Incorrect Resource Transfer Between Spheres

Abstraction: Class · Status: Draft

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

144 vulnerabilities reference this CWE, most recent first.

GHSA-H53C-VV76-W4W5

Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34
VLAI
Details

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.

This issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T23:16:33Z",
    "severity": "HIGH"
  },
  "details": "Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.\n\nThis issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.",
  "id": "GHSA-h53c-vv76-w4w5",
  "modified": "2026-06-13T00:34:33Z",
  "published": "2026-06-13T00:34:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12068"
    },
    {
      "type": "WEB",
      "url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H568-MFP5-V835

Vulnerability from github – Published: 2025-07-18 21:30 – Updated: 2025-07-18 21:30
VLAI
Details

qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affects rsswidget.cpp and searchjobwidget.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-18T20:15:24Z",
    "severity": "MODERATE"
  },
  "details": "qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affects rsswidget.cpp and searchjobwidget.cpp.",
  "id": "GHSA-h568-mfp5-v835",
  "modified": "2025-07-18T21:30:30Z",
  "published": "2025-07-18T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qbittorrent/qBittorrent/commit/6ad073e0bc26c1f9d3530490ece611b49f5bfcab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qbittorrent/qBittorrent/commit/ad68813fe879ba245a4f41f105ed8d2114a92971"
    },
    {
      "type": "WEB",
      "url": "https://www.qbittorrent.org/news#wed-jul-02nd-2025---qbittorrent-v5.1.2-release"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8W5-58RH-75VR

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-24T22:16:16Z",
    "severity": "HIGH"
  },
  "details": "Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).",
  "id": "GHSA-h8w5-58rh-75vr",
  "modified": "2026-05-26T13:30:35Z",
  "published": "2026-05-26T13:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48831"
    },
    {
      "type": "WEB",
      "url": "https://bugs.winehq.org/show_bug.cgi?id=59767"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/19/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/25/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:X/U:Clear",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HXWF-HGXF-GHJJ

Vulnerability from github – Published: 2022-04-29 02:58 – Updated: 2022-04-29 02:58
VLAI
Details

Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-0872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-09-16T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka \"Cross Security Boundary Cookie Injection.\"",
  "id": "GHSA-hxwf-hgxf-ghjj",
  "modified": "2022-04-29T02:58:31Z",
  "published": "2022-04-29T02:58:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0872"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17417"
    },
    {
      "type": "WEB",
      "url": "http://securityfocus.com/archive/1/375407"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1011329"
    },
    {
      "type": "WEB",
      "url": "http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J2G6-8RVG-7MF6

Vulnerability from github – Published: 2026-04-03 06:31 – Updated: 2026-04-04 06:56
VLAI
Summary
Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message
Details

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "roundcube/roundcubemail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7-beta"
            },
            {
              "fixed": "1.7-rc5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:56:48Z",
    "nvd_published_at": "2026-04-03T05:16:22Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.",
  "id": "GHSA-j2g6-8rvg-7mf6",
  "modified": "2026-04-04T06:56:48Z",
  "published": "2026-04-03T06:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/1a63e01542bff42aaa71c00c4c279a09ef31f20c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/39471343ee081ce1d31696c456a2c163462daae3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/82ab5eca7b332fce7a174b2b987f0957a66377cd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/roundcube/roundcubemail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"
    },
    {
      "type": "WEB",
      "url": "https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message"
}

GHSA-J3W4-VVQ3-QPF6

Vulnerability from github – Published: 2025-10-17 21:31 – Updated: 2025-10-18 03:30
VLAI
Details

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-17T21:15:37Z",
    "severity": "MODERATE"
  },
  "details": "The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.",
  "id": "GHSA-j3w4-vvq3-qpf6",
  "modified": "2025-10-18T03:30:24Z",
  "published": "2025-10-17T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62646"
    },
    {
      "type": "WEB",
      "url": "https://archive.today/fMYQp"
    },
    {
      "type": "WEB",
      "url": "https://bobdahacker.com/blog/rbi-hacked-drive-thrus"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus"
    },
    {
      "type": "WEB",
      "url": "https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers"
    },
    {
      "type": "WEB",
      "url": "https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3WX-VG3Q-5R45

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 15:35
VLAI
Details

Inappropriate implementation in AI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669",
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:26Z",
    "severity": "CRITICAL"
  },
  "details": "Inappropriate implementation in AI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-j3wx-vg3q-5r45",
  "modified": "2026-07-01T15:35:10Z",
  "published": "2026-07-01T00:34:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14151"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/517381770"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8CW-M86F-RXGW

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2025-10-22 00:32
VLAI
Details

A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-27T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.",
  "id": "GHSA-j8cw-m86f-rxgw",
  "modified": "2025-10-22T00:32:13Z",
  "published": "2022-05-24T19:03:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22900"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRGH-F66H-M27J

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-04-26 21:30
VLAI
Details

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-27T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.",
  "id": "GHSA-jrgh-f66h-m27j",
  "modified": "2023-04-26T21:30:29Z",
  "published": "2022-05-24T16:54:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13263"
    },
    {
      "type": "WEB",
      "url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
    },
    {
      "type": "WEB",
      "url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRH2-F5JC-XPGR

Vulnerability from github – Published: 2026-06-04 00:30 – Updated: 2026-07-14 19:35
VLAI
Summary
OpenStack Ironic allows Boot Script Injection
Details

OpenStack Ironic through 35.0.x allows Boot Script Injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ironic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "26.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ironic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "27.0.0"
            },
            {
              "fixed": "29.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ironic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "30.0.0"
            },
            {
              "fixed": "32.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ironic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "33.0.0"
            },
            {
              "fixed": "35.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T19:35:21Z",
    "nvd_published_at": "2026-06-03T22:16:34Z",
    "severity": "MODERATE"
  },
  "details": "OpenStack Ironic through 35.0.x allows Boot Script Injection.",
  "id": "GHSA-jrh2-f5jc-xpgr",
  "modified": "2026-07-14T19:35:21Z",
  "published": "2026-06-04T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46447"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ironic/+bug/2150624"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/ironic"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2026-017.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/03/11"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/15/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenStack Ironic allows Boot Script Injection"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.