Skip to main content

CWE-669

Incorrect Resource Transfer Between Spheres

67 CVEs Avg CVSS 6.4 MITRE
4
CRITICAL
25
HIGH
27
MEDIUM
11
LOW
13
POC
1
KEV

Monthly

CVE-2026-14151 HIGH PATCH This Week

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the security sandbox using a crafted HTML page, elevating from a contained renderer to broader host access. Rooted in CWE-669 (incorrect resource transfer between spheres) within Chrome's AI component, it carries a CVSS 8.3 (scope-changed) rating despite Google's own 'Low' Chromium severity, reflecting the fact that it is a second-stage escape rather than a standalone entry point. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.17%, 7th percentile), and it is not listed in CISA KEV.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-46448 PyPI HIGH PATCH GHSA This Week

Resource-accounting bypass in OpenStack Nova (compute service) lets an authenticated tenant create an instance whose scheduler hint data is not properly stripped, resulting in a running VM that has no corresponding Placement allocation. Because the instance consumes real host CPU/RAM/disk that the Placement service never accounted for, an attacker with ordinary project credentials can quietly over-subscribe a compute host and degrade availability for co-located tenants. SSVC lists exploitation as proof-of-concept (no public exploit identified as weaponized) with partial technical impact; EPSS is low at 0.26% (17th percentile).

Information Disclosure Nova Red Hat
NVD VulDB
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-12068 HIGH This Week

Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.

Mozilla Microsoft Apple Information Disclosure Avira Password Manager
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-44917 MEDIUM PATCH This Month

File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.

Information Disclosure Ironic
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-46447 PyPI HIGH PATCH This Week

Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.

Code Injection Ironic
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-48847 LOW PATCH Monitor

Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.

Authentication Bypass Redis Webmail
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-48846 MEDIUM PATCH This Month

Remote image blocking in Roundcube Webmail 1.6.x and 1.7.x can be silently bypassed by embedding a crafted CSS var() expression in an HTML email, causing the victim's browser to fetch attacker-controlled external resources despite the privacy control being active. This leads to information disclosure - including IP address leakage and email-open tracking - and potential access-control bypass. No public exploit has been identified at time of analysis and EPSS is very low (0.03%), but SSVC rates this 'Automatable: yes,' making mass-scale email tracking campaigns feasible against unpatched Roundcube deployments.

Information Disclosure Webmail
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48845 MEDIUM PATCH This Month

Remote image blocking bypass in Roundcube Webmail allows unauthenticated network attackers to embed HTML email image tags pointing to local or private network destinations, causing the server to fetch those resources despite the 'block remote images' policy being active. Affected versions are 1.6.14 through 1.6.15 and 1.7.0, with vendor-released patches 1.6.16 and 1.7.1 available since May 2026 per the official advisory. No public exploit has been identified at time of analysis and EPSS is very low at 0.03%, though SSVC rates technical impact as total - a notable discrepancy that warrants attention for deployments where the mail server has internal network access.

Information Disclosure Privilege Escalation Webmail
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48831 HIGH This Week

Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).

Microsoft Information Disclosure Suse
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-44599 LOW PATCH Monitor

Tor before version 0.4.9.7 can incorrectly attempt or accept BEGIN_DIR cells over conflux legs, a Tor relay multiplexing feature, enabling potential integrity violations in circuit construction. The vulnerability has a CVSS score of 3.7 (low severity) with impact limited to integrity rather than confidentiality or availability. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure Tor
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the security sandbox using a crafted HTML page, elevating from a contained renderer to broader host access. Rooted in CWE-669 (incorrect resource transfer between spheres) within Chrome's AI component, it carries a CVSS 8.3 (scope-changed) rating despite Google's own 'Low' Chromium severity, reflecting the fact that it is a second-stage escape rather than a standalone entry point. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.17%, 7th percentile), and it is not listed in CISA KEV.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Resource-accounting bypass in OpenStack Nova (compute service) lets an authenticated tenant create an instance whose scheduler hint data is not properly stripped, resulting in a running VM that has no corresponding Placement allocation. Because the instance consumes real host CPU/RAM/disk that the Placement service never accounted for, an attacker with ordinary project credentials can quietly over-subscribe a compute host and degrade availability for co-located tenants. SSVC lists exploitation as proof-of-concept (no public exploit identified as weaponized) with partial technical impact; EPSS is low at 0.26% (17th percentile).

Information Disclosure Nova Red Hat
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.

Mozilla Microsoft Apple +2
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.

Information Disclosure Ironic
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.

Code Injection Ironic
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.

Authentication Bypass Redis Webmail
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Remote image blocking in Roundcube Webmail 1.6.x and 1.7.x can be silently bypassed by embedding a crafted CSS var() expression in an HTML email, causing the victim's browser to fetch attacker-controlled external resources despite the privacy control being active. This leads to information disclosure - including IP address leakage and email-open tracking - and potential access-control bypass. No public exploit has been identified at time of analysis and EPSS is very low (0.03%), but SSVC rates this 'Automatable: yes,' making mass-scale email tracking campaigns feasible against unpatched Roundcube deployments.

Information Disclosure Webmail
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Remote image blocking bypass in Roundcube Webmail allows unauthenticated network attackers to embed HTML email image tags pointing to local or private network destinations, causing the server to fetch those resources despite the 'block remote images' policy being active. Affected versions are 1.6.14 through 1.6.15 and 1.7.0, with vendor-released patches 1.6.16 and 1.7.1 available since May 2026 per the official advisory. No public exploit has been identified at time of analysis and EPSS is very low at 0.03%, though SSVC rates technical impact as total - a notable discrepancy that warrants attention for deployments where the mail server has internal network access.

Information Disclosure Privilege Escalation Webmail
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).

Microsoft Information Disclosure Suse
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Tor before version 0.4.9.7 can incorrectly attempt or accept BEGIN_DIR cells over conflux legs, a Tor relay multiplexing feature, enabling potential integrity violations in circuit construction. The vulnerability has a CVSS score of 3.7 (low severity) with impact limited to integrity rather than confidentiality or availability. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure Tor
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy