Skip to main content

CWE-749

Exposed Dangerous Method or Function

103 CVEs Avg CVSS 7.8 MITRE
30
CRITICAL
41
HIGH
31
MEDIUM
1
LOW
15
POC
1
KEV

Monthly

CVE-2025-53827 CRITICAL PATCH Act Now

Arbitrary code execution in ownCloud Core (ownCloud 10 Classic server, all versions before 10.15.3) allows an administrator to abuse an exposed dangerous method in the Updater component to run code on the server host. Any actor holding administrative credentials - legitimately, or via session hijack/credential theft/CSRF against an admin - can convert web-app admin rights into full server compromise. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-issued GHSA-hvcx-ph66-mmvw advisory and the fix in 10.15.3 are the primary confirmation.

RCE Owncloud Core
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-54753 MEDIUM PATCH This Month

Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while `nx graph` is running locally. The server unconditionally broadcasts `Access-Control-Allow-Origin: *`, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. In rare cases, the `/help` endpoint - which executes a workspace-configured target command - creates a path to arbitrary command injection on the developer's machine. No public exploit or CISA KEV listing identified at time of analysis.

Command Injection Information Disclosure Nx
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2026-55454 CRITICAL PATCH Act Now

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.

SSRF Docker Appsmith
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-53633 npm CRITICAL PATCH GHSA Act Now

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) allows remote attackers to overwrite the project's vite.config.ts and execute arbitrary Node.js code on the host when the browser API server is bound to a network-reachable interface (e.g. --browser.api.host=0.0.0.0). The flaw stems from the cdp() API forwarding raw Chrome DevTools Protocol calls over the browser WebSocket RPC without honoring the allowWrite/allowExec gates that normally restrict Browser Mode. Publicly available exploit code exists in the GHSA-g8mr-85jm-7xhm advisory's step-by-step reproduction, though no CISA KEV listing has been issued.

Google Code Injection Node.js
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-49993 npm MEDIUM POC PATCH GHSA This Month

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.

Information Disclosure Nuxt
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-12060 MEDIUM PATCH This Month

Unauthorized camera and microphone access in Heptabase by Hepta Platforms is achievable by unauthenticated remote attackers who social-engineer a victim into opening a malicious webpage inside the application, exploiting an exposed dangerous method (CWE-749) that bypasses normal permission gating. The attack yields high confidentiality impact - real-time audio and video capture - with no privileges required on the attacker's side, constrained only by the need for active victim interaction. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the surveillance-class outcome makes it attractive for targeted campaigns.

Authentication Bypass Heptabase
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7516 MEDIUM PATCH This Month

Clipboard hijacking in Lenovo's built-in Android browser application allows a malicious website to silently overwrite system clipboard contents on affected devices. The vulnerability impacts Lenovo Android tablets distributed exclusively in the Chinese market, enabling a network-based attacker to manipulate clipboard data when a user visits a crafted website. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; EPSS data was not provided in available intelligence.

Information Disclosure Google Lenovo
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-47899 HIGH This Week

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Logseq
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-14713 HIGH PATCH This Week

Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticated attackers to retrieve user credentials directly from the edge server over the network. The flaw stems from an exposed dangerous method/function (CWE-749) reachable without authentication, yielding a high-confidentiality impact with no integrity or availability effect. No public exploit has been identified at time of analysis, and EPSS scores it at the bottom 7th percentile, indicating low near-term exploitation likelihood despite the network-reachable vector.

Synology Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4051 HIGH PATCH This Week

Remote code execution in IBM Engineering Lifecycle Management (ELM) versions 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 allows an attacker with administrative privileges to execute arbitrary code via an exposed method that is not properly restricted (CWE-749). At time of analysis there is no public exploit identified and EPSS is very low (0.01%), but the SSVC technical impact is rated total, making this a high-impact post-authentication issue against ELM administrators. IBM has published a patch advisory and CVSS is 7.2 (AV:N/AC:L/PR:H/UI:N/C:H/I:H/A:H).

Information Disclosure IBM Engineering Lifecycle Management
NVD
CVSS 3.1
7.2
EPSS
0.0%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary code execution in ownCloud Core (ownCloud 10 Classic server, all versions before 10.15.3) allows an administrator to abuse an exposed dangerous method in the Updater component to run code on the server host. Any actor holding administrative credentials - legitimately, or via session hijack/credential theft/CSRF against an admin - can convert web-app admin rights into full server compromise. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-issued GHSA-hvcx-ph66-mmvw advisory and the fix in 10.15.3 are the primary confirmation.

RCE Owncloud Core
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while `nx graph` is running locally. The server unconditionally broadcasts `Access-Control-Allow-Origin: *`, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. In rare cases, the `/help` endpoint - which executes a workspace-configured target command - creates a path to arbitrary command injection on the developer's machine. No public exploit or CISA KEV listing identified at time of analysis.

Command Injection Information Disclosure Nx
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.

SSRF Docker Appsmith
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) allows remote attackers to overwrite the project's vite.config.ts and execute arbitrary Node.js code on the host when the browser API server is bound to a network-reachable interface (e.g. --browser.api.host=0.0.0.0). The flaw stems from the cdp() API forwarding raw Chrome DevTools Protocol calls over the browser WebSocket RPC without honoring the allowWrite/allowExec gates that normally restrict Browser Mode. Publicly available exploit code exists in the GHSA-g8mr-85jm-7xhm advisory's step-by-step reproduction, though no CISA KEV listing has been issued.

Google Code Injection Node.js
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alpha.1-4.4.6) enables a LAN-adjacent attacker to read a developer's full application source from the webpack dev server when it is bound to a non-loopback address via `nuxt dev --host`. This is a second incomplete fix in a chain stemming from GHSA-4gf7-ff8x-hq99: the previous patch (GHSA-6m52-m754-pw2g) relied on Sec-Fetch-* metadata headers that browsers silently omit for non-trustworthy (plain HTTP) origins, leaving a bypass when an attacker page strips all three identifying headers (Sec-Fetch-Site, Origin, Referer) simultaneously. A proof-of-concept JavaScript payload is documented in the GHSA advisory; EPSS is very low at 0.02% (7th percentile) and no CISA KEV entry exists, reflecting the narrow exploitation conditions required.

Information Disclosure Nuxt
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthorized camera and microphone access in Heptabase by Hepta Platforms is achievable by unauthenticated remote attackers who social-engineer a victim into opening a malicious webpage inside the application, exploiting an exposed dangerous method (CWE-749) that bypasses normal permission gating. The attack yields high confidentiality impact - real-time audio and video capture - with no privileges required on the attacker's side, constrained only by the need for active victim interaction. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the surveillance-class outcome makes it attractive for targeted campaigns.

Authentication Bypass Heptabase
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Clipboard hijacking in Lenovo's built-in Android browser application allows a malicious website to silently overwrite system clipboard contents on affected devices. The vulnerability impacts Lenovo Android tablets distributed exclusively in the Chinese market, enabling a network-based attacker to manipulate clipboard data when a user visits a crafted website. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; EPSS data was not provided in available intelligence.

Information Disclosure Google Lenovo
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Logseq
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticated attackers to retrieve user credentials directly from the edge server over the network. The flaw stems from an exposed dangerous method/function (CWE-749) reachable without authentication, yielding a high-confidentiality impact with no integrity or availability effect. No public exploit has been identified at time of analysis, and EPSS scores it at the bottom 7th percentile, indicating low near-term exploitation likelihood despite the network-reachable vector.

Synology Information Disclosure
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in IBM Engineering Lifecycle Management (ELM) versions 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 allows an attacker with administrative privileges to execute arbitrary code via an exposed method that is not properly restricted (CWE-749). At time of analysis there is no public exploit identified and EPSS is very low (0.01%), but the SSVC technical impact is rated total, making this a high-impact post-authentication issue against ELM administrators. IBM has published a patch advisory and CVSS is 7.2 (AV:N/AC:L/PR:H/UI:N/C:H/I:H/A:H).

Information Disclosure IBM Engineering Lifecycle Management
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy