CWE-749— Exposed Dangerous Method or Function
154 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-749page 3 of 4
- CVE-2024-55921HIGHCVSS 7.5EG 7.52025-01-14
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forge…
- CVE-2024-55922MEDIUMCVSS 5.4EG 5.42025-01-14
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forge…
- CVE-2024-55923MEDIUMCVSS 4.3EG 4.32025-01-14
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forge…
- CVE-2024-55924HIGHCVSS 8.0EG 8.02025-01-14
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forge…
- CVE-2024-55945MEDIUMCVSS 4.3EG 4.32025-01-14
TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forge…
- CVE-2024-6510HIGHCVSS 7.8EG 7.82024-09-12
Local Privilege Escalation in AVG Internet Security v24 on Windows allows a local unprivileged user to escalate privileges to SYSTEM via COM-Hijacking.
- CVE-2024-6689HIGHCVSS 7.8EG 7.82024-07-15
Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.
- CVE-2024-6863MEDIUMCVSS 6.5EG 6.52025-03-20
In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like beh…
- CVE-2025-14488HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14489HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14490HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14491HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14492HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14493HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14494HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14495HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14496HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14497HIGHCVSS 7.8EG 7.82025-12-23
RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must …
- CVE-2025-14713HIGHCVSS 7.5EG 7.52026-05-27
An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.
- CVE-2025-24359HIGHCVSS 8.4EG 8.42025-01-24
ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of…
- CVE-2025-24361MEDIUMCVSS 5.3EG 5.32025-01-25
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a ma…
- CVE-2025-26651MEDIUMCVSS 6.5EG 6.52025-04-08
Exposed dangerous method or function in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.
- CVE-2025-30359MEDIUMCVSS 5.3EG 5.32025-06-03
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request f…
- CVE-2025-34114HIGHCVSS 8.4EG 0.02025-07-25
A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Refe…
- CVE-2025-3698HIGHCVSS 7.5EG 7.52025-04-16
Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk.
- CVE-2025-37097HIGHCVSS 7.5EG 7.52025-07-01
A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service
- CVE-2025-43003MEDIUMCVSS 6.4EG 6.42025-05-13
SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sen…
- CVE-2025-43955LOWCVSS 2.2EG 2.22025-04-20
TwsCachedXPathAPI in Convertigo through 8.3.4 does not restrict the use of commons-jxpath APIs.
- CVE-2025-47353HIGHCVSS 7.8EG 7.82025-11-04
Memory corruption while processing request sent from GVM.
- CVE-2025-47366HIGHCVSS 7.1EG 7.12026-02-02
Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input.
- CVE-2025-48415MEDIUMCVSS 6.2EG 6.22025-05-21
A USB backdoor feature can be triggered by attaching a USB drive that contains specially crafted "salia.ini" files. The .ini file can contain several "commands" that could be exploited by an attacker to export or modify the device configur…
- CVE-2025-53964CRITICALCVSS 9.6EG 9.62025-07-17
GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.
- CVE-2025-5748HIGHCVSS 8.0EG 8.02025-06-06
WOLFBOX Level 2 EV Charger LAN OTA Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Althou…
- CVE-2025-5823MEDIUMCVSS 6.5EG 4.92025-06-25
Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharge…
- CVE-2025-59403CRITICALCVSS 9.8EG 6.52025-10-02
The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoi…
- CVE-2025-59788MEDIUMCVSS 6.4EG 6.42025-12-04
Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, an…
- CVE-2025-61907MEDIUMCVSS 6.5EG 6.52025-10-16
Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. Th…
- CVE-2025-64443CRITICALCVSS 9.6EG 9.62025-12-03
MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visi…
- CVE-2025-68697HIGHCVSS 7.1EG 7.12025-12-26
n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can i…
- CVE-2025-9611HIGHCVSS 7.2EG 0.02026-01-07
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to …
- CVE-2026-22208CRITICALCVSS 9.6EG 9.62026-02-17
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing …
- CVE-2026-22812HIGHCVSS 8.8EG 8.82026-01-12
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user…
- CVE-2026-25266MEDIUMCVSS 5.5EG 5.52026-05-04
Memory corruption while processing IOCTL command when device is in power-save state.
- CVE-2026-33583HIGHCVSS 8.7EG 8.72026-05-13
Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform. This issue affect…
- CVE-2026-33584MEDIUMCVSS 5.3EG 5.32026-05-13
Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 2…
- CVE-2026-35488HIGHCVSS 8.1EG 8.12026-04-07
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has…
- CVE-2026-4051HIGHCVSS 7.2EG 7.22026-05-26
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
- CVE-2026-44698HIGHCVSS 8.3EG 8.32026-05-29
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in…
- CVE-2026-44798HIGHCVSS 7.1EG 7.12026-05-28
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which wa…
- CVE-2026-44836MEDIUMCVSS 6.5EG 6.52026-05-26
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not …
Map vulnerabilities like CWE-749 to your infrastructure
EchelonGraph correlates every CVE — across CWE-749 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →