CWE-647

6 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →

CVEs classified under CWE-647page 1 of 1

CVE-2022-43939HIGHCVSS 8.6EG 9.8⚠ KEV
2023-04-03
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
CVE-2025-43916LOWCVSS 3.4EG 3.4
2025-04-21
Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be s…
CVE-2025-47241MEDIUMCVSS 4.0EG 4.0
2025-05-03
In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component.
CVE-2025-64500HIGHCVSS 7.3EG 7.3
2025-11-12
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to versio…
CVE-2025-66202MEDIUMCVSS 6.5EG 6.5
2025-12-09
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected route…
CVE-2026-5222MEDIUMCVSS 6.5EG 2.3
2026-05-25
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker …

Map vulnerabilities like CWE-647 to your infrastructure

EchelonGraph correlates every CVE — across CWE-647 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.

Start Free Scan →