CWE-425
211 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-425page 5 of 5
- CVE-2025-59797MEDIUMCVSS 5.8EG 5.82025-09-22
Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page.
- CVE-2025-6195MEDIUMCVSS 4.3EG 4.32025-11-26
GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain co…
- CVE-2025-62778MEDIUMCVSS 5.3EG 5.32025-10-27
Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL.
- CVE-2025-6352MEDIUMCVSS 5.3EG 5.32025-06-20
A vulnerability classified as problematic has been found in code-projects Automated Voting System 1.0. Affected is an unknown function of the file /vote.php of the component Backend. The manipulation leads to direct request. It is possible…
- CVE-2025-65011HIGHCVSS 7.1EG 0.02025-12-18
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn't respo…
- CVE-2025-67844MEDIUMCVSS 5.0EG 5.02025-12-19
The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields prov…
- CVE-2026-0650CRITICALCVSS 9.3EG 0.02026-01-07
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and a…
- CVE-2026-0790HIGHCVSS 7.5EG 5.32026-01-23
ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentica…
- CVE-2026-1978MEDIUMCVSS 5.3EG 5.32026-02-06
A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request…
- CVE-2026-7500MEDIUMCVSS 5.4EG 5.42026-04-30
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write…
- CVE-2026-8205MEDIUMCVSS 5.3EG 5.32026-05-21
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security …
Map vulnerabilities like CWE-425 to your infrastructure
EchelonGraph correlates every CVE — across CWE-425 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →