Skip to main content

CWE-425

Direct Request ('Forced Browsing')

151 CVEs Avg CVSS 6.8 MITRE
27
CRITICAL
46
HIGH
73
MEDIUM
5
LOW
80
POC
2
KEV

Monthly

CVE-2026-10521 HIGH PATCH This Week

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.

Information Disclosure Mbconnect24 Mymbconnect24
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-9610 MEDIUM PATCH This Month

Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.

IBM Authentication Bypass Datacap Datacap Navigator
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-34028 MEDIUM This Month

Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-11986 MEDIUM This Month

Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.

Information Disclosure Red Hat Build Of Keycloak Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-8205 PHP MEDIUM PATCH This Month

Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.

Information Disclosure Concrete Cms
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7500 Maven MEDIUM This Month

Keycloak's Account REST API remains partially accessible even when explicitly disabled via the `--features-disabled=account,account-api` flag, allowing authenticated users to read and modify account data through five unprotected endpoints under `/account/v1alpha1/` that lack the required `checkAccountApiEnabled()` access control gate present in four sibling endpoints within the same service class.

Information Disclosure Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-58343 MEDIUM POC PATCH This Month

Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Helpdesk
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22732 Maven CRITICAL POC PATCH Act Now

Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.

Java Information Disclosure
NVD VulDB HeroDevs GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-15587 HIGH PATCH This Week

A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.

Information Disclosure Lan Kontroler V3 5 Lk3 9 Lk4 Tcpdu
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-25679 Go HIGH PATCH This Week

Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.

Information Disclosure Go
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.

Information Disclosure Mbconnect24 Mymbconnect24
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.

IBM Authentication Bypass Datacap +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.

Information Disclosure Red Hat Build Of Keycloak Red Hat Jboss Enterprise Application Platform Expansion Pack +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.

Information Disclosure Concrete Cms
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Keycloak's Account REST API remains partially accessible even when explicitly disabled via the `--features-disabled=account,account-api` flag, allowing authenticated users to read and modify account data through five unprotected endpoints under `/account/v1alpha1/` that lack the required `checkAccountApiEnabled()` access control gate present in four sibling endpoints within the same service class.

Information Disclosure Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Helpdesk
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.

Java Information Disclosure
NVD VulDB HeroDevs GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.

Information Disclosure Lan Kontroler V3 5 Lk3 9 +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.

Information Disclosure Go
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy