Skip to main content

CWE-657

Violation of Secure Design Principles

13 CVEs Avg CVSS 6.3 MITRE
1
CRITICAL
3
HIGH
9
MEDIUM
0
LOW
1
POC
0
KEV

Monthly

CVE-2026-39888 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in praisonaiagents (all versions through 1.5.113) allows authenticated users to escape the Python subprocess sandbox and execute arbitrary shell commands on the host. The vulnerability exists in the execute_code() tool's sandbox mode, where an incomplete AST attribute blocklist permits frame traversal through exception objects (__traceback__, tb_frame, f_back, f_builtins). Attackers chain these four unblocked attributes to retrieve the real exec builtin from the subprocess wrapper's frame, bypassing all security layers. Exploitation requires low-privilege agent API access and no victim interaction. Confirmed actively exploited (CISA KEV). Publicly available exploit code exists.

RCE Python
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-30792 HIGH This Week

Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).

Apple Information Disclosure Microsoft Google Rustdesk
NVD VulDB
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-54255 MEDIUM Monitor

Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Adobe Acrobat Acrobat Dc Acrobat Reader Dc +1
NVD
CVSS 3.1
4.0
EPSS
0.1%
CVE-2024-57957 MEDIUM This Month

Vulnerability of improper log information control in the UI framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Harmonyos
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2023-29320 HIGH This Week

Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Adobe Acrobat Dc Acrobat Reader Dc Acrobat +1
NVD
CVSS 3.1
7.8
EPSS
4.6%
CVE-2022-30683 MEDIUM This Month

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Adobe Experience Manager
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-28244 MEDIUM This Month

Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is affected by a violation of secure design principles through bypassing the content. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Adobe Acrobat Dc Acrobat Reader Dc Acrobat +1
NVD
CVSS 3.1
6.3
EPSS
3.5%
CVE-2021-36061 MEDIUM PATCH This Month

Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the 'pbMode' parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Adobe Connect
NVD
CVSS 3.1
5.4
EPSS
1.6%
CVE-2021-28583 PHP MEDIUM PATCH This Month

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity.

Authentication Bypass Adobe Magento
NVD
CVSS 3.1
4.2
EPSS
1.9%
CVE-2020-8133 MEDIUM POC This Month

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nextcloud Information Disclosure Nextcloud Server
NVD
CVSS 3.1
5.3
EPSS
0.7%
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in praisonaiagents (all versions through 1.5.113) allows authenticated users to escape the Python subprocess sandbox and execute arbitrary shell commands on the host. The vulnerability exists in the execute_code() tool's sandbox mode, where an incomplete AST attribute blocklist permits frame traversal through exception objects (__traceback__, tb_frame, f_back, f_builtins). Attackers chain these four unblocked attributes to retrieve the real exec builtin from the subprocess wrapper's frame, bypassing all security layers. Exploitation requires low-privilege agent API access and no victim interaction. Confirmed actively exploited (CISA KEV). Publicly available exploit code exists.

RCE Python
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).

Apple Information Disclosure Microsoft +2
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM Monitor

Acrobat Reader versions 24.001.30254, 20.005.30774, 25.001.20672 and earlier are affected by a Violation of Secure Design Principles vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Adobe Acrobat +3
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Vulnerability of improper log information control in the UI framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Harmonyos
NVD
EPSS 5% CVSS 7.8
HIGH This Week

Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Adobe Acrobat Dc +3
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Adobe Experience Manager
NVD
EPSS 4% CVSS 6.3
MEDIUM This Month

Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is affected by a violation of secure design principles through bypassing the content. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Adobe Acrobat Dc +3
NVD
EPSS 2% CVSS 5.4
MEDIUM PATCH This Month

Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the 'pbMode' parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Adobe Connect
NVD
EPSS 2% CVSS 4.2
MEDIUM PATCH This Month

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity.

Authentication Bypass Adobe Magento
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nextcloud Information Disclosure Nextcloud Server
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy