Skip to main content

CWE-840

Business Logic Errors

81 CVEs Avg CVSS 5.6 MITRE
3
CRITICAL
16
HIGH
50
MEDIUM
12
LOW
43
POC
0
KEV

Monthly

CVE-2026-58558 HIGH This Week

Local information disclosure in Huawei HarmonyOS and EMUI stems from a flawed permission-control check in the file system, letting a local actor read data that should be access-restricted. Exploitation requires local access plus user interaction (CVSS UI:R), and Huawei's own scoring rates it high impact; no public exploit was identified at time of analysis and it is not listed in CISA KEV. Note the vendor CVSS also asserts integrity and availability impact, which the one-line description (confidentiality only) does not substantiate.

Information Disclosure Harmony Os Emui
NVD
CVSS 3.1
7.8
CVE-2026-13571 MEDIUM POC This Month

Price parameter manipulation in SourceCodester Simple Food Ordering System 1.0 allows unauthenticated remote attackers to submit orders at arbitrary prices by modifying the item_price argument in POST requests to /cart.php. The server trusts client-supplied price data without server-side validation, enabling business logic bypass (CWE-840) that could result in financial loss for system operators. A public proof-of-concept exploit is available on GitHub; however, this vulnerability is not currently listed in the CISA KEV catalog.

Information Disclosure PHP Simple Food Ordering System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-41973 MEDIUM This Month

Permission control bypass in Huawei HarmonyOS and EMUI's call-handling subsystem allows a locally present, unprivileged attacker to circumvent intended access restrictions, resulting in low-level impacts to confidentiality, integrity, and availability. The vulnerability stems from improper business logic governing permission enforcement (CWE-840), meaning the system fails to correctly validate whether a calling entity holds the required permissions before servicing a request. No public exploit code exists and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, but the low attack complexity and absence of privilege requirements lower the bar for local abuse.

Information Disclosure Emui
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-11465 LOW POC PATCH Monitor

Race condition in songquanpeng one-api's redemption code feature allows authenticated users to redeem a single-use code multiple times by sending concurrent requests before the transaction completes. The root cause is confirmed by PR diff: the codebase uses deprecated GORM v1 syntax (`tx.Set("gorm:query_option", "FOR UPDATE")`) that does not reliably apply a database row lock in GORM v2, leaving the transaction window unprotected. All versions up to 0.6.11-preview.7 are affected; a fix exists as an unmerged pull request, and publicly available exploit code is referenced in GitHub issue #2397 - no public exploit has been identified at time of analysis.

Information Disclosure One Api
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-8738 MEDIUM POC This Month

Business logic flaws in PublicCMS 5.202506.d trade payment controller allow unauthenticated remote attackers to manipulate payment processing workflows, potentially enabling payment bypass or unauthorized transaction modifications. Publicly available exploit code exists demonstrating the attack. The vulnerability affects three payment-related functions (TradeOrderController.pay, TradePaymentController.pay, AccountGatewayComponent.pay) in the publiccms-trade module. Vendor was notified but did not respond, and no patch has been announced.

Java Information Disclosure
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41968 MEDIUM This Month

A permission control vulnerability in HarmonyOS's manufacturability design module allows local attackers without privileges to read, modify, and degrade system availability through improper access controls. The vulnerability affects HarmonyOS across multiple versions and has a CVSS score of 5.9 (medium severity), with confirmed impacts on confidentiality, integrity, and availability despite the description emphasizing availability impact alone.

Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41967 MEDIUM This Month

HarmonyOS manufacturability design module contains a permission control vulnerability (CWE-840) that allows local attackers without privileges to read sensitive information and modify system state on affected devices. The vulnerability has a CVSS score of 5.9 with local attack vector and low complexity, affecting confidentiality, integrity, and availability. Patch status and active exploitation status are not confirmed from available vendor advisory data.

Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41966 MEDIUM This Month

Permission control vulnerability in Huawei HarmonyOS smart sensing service allows remote attackers to bypass access controls and disclose sensitive information with moderate complexity. The vulnerability affects service confidentiality and integrity across HarmonyOS versions, with CVSS 5.6 (AV:N/AC:H/PR:N/UI:N) indicating network-accessible exploitation requiring non-trivial conditions. No active exploitation in CISA KEV or public exploit code identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
5.6
EPSS
0.0%
CVE-2026-41961 MEDIUM This Month

A permission control vulnerability in HarmonyOS Contacts allows local attackers without special privileges to access sensitive contact information and affect availability of the contacts application. The vulnerability exists across HarmonyOS versions and can be exploited without user interaction, resulting in information disclosure and potential service disruption.

Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41971 MEDIUM This Month

Information disclosure in Huawei HarmonyOS security control module allows local attackers with user interaction to read sensitive data. The vulnerability stems from improper permission control in the security module, enabling unauthorized access to confidential information without requiring elevated privileges. CVSS 5.5 indicates moderate severity with local attack vector; no KEV status or public exploit confirmed at time of analysis.

Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVSS 7.8
HIGH This Week

Local information disclosure in Huawei HarmonyOS and EMUI stems from a flawed permission-control check in the file system, letting a local actor read data that should be access-restricted. Exploitation requires local access plus user interaction (CVSS UI:R), and Huawei's own scoring rates it high impact; no public exploit was identified at time of analysis and it is not listed in CISA KEV. Note the vendor CVSS also asserts integrity and availability impact, which the one-line description (confidentiality only) does not substantiate.

Information Disclosure Harmony Os Emui
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Price parameter manipulation in SourceCodester Simple Food Ordering System 1.0 allows unauthenticated remote attackers to submit orders at arbitrary prices by modifying the item_price argument in POST requests to /cart.php. The server trusts client-supplied price data without server-side validation, enabling business logic bypass (CWE-840) that could result in financial loss for system operators. A public proof-of-concept exploit is available on GitHub; however, this vulnerability is not currently listed in the CISA KEV catalog.

Information Disclosure PHP Simple Food Ordering System
NVD VulDB GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Permission control bypass in Huawei HarmonyOS and EMUI's call-handling subsystem allows a locally present, unprivileged attacker to circumvent intended access restrictions, resulting in low-level impacts to confidentiality, integrity, and availability. The vulnerability stems from improper business logic governing permission enforcement (CWE-840), meaning the system fails to correctly validate whether a calling entity holds the required permissions before servicing a request. No public exploit code exists and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, but the low attack complexity and absence of privilege requirements lower the bar for local abuse.

Information Disclosure Emui
NVD
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Race condition in songquanpeng one-api's redemption code feature allows authenticated users to redeem a single-use code multiple times by sending concurrent requests before the transaction completes. The root cause is confirmed by PR diff: the codebase uses deprecated GORM v1 syntax (`tx.Set("gorm:query_option", "FOR UPDATE")`) that does not reliably apply a database row lock in GORM v2, leaving the transaction window unprotected. All versions up to 0.6.11-preview.7 are affected; a fix exists as an unmerged pull request, and publicly available exploit code is referenced in GitHub issue #2397 - no public exploit has been identified at time of analysis.

Information Disclosure One Api
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Business logic flaws in PublicCMS 5.202506.d trade payment controller allow unauthenticated remote attackers to manipulate payment processing workflows, potentially enabling payment bypass or unauthorized transaction modifications. Publicly available exploit code exists demonstrating the attack. The vulnerability affects three payment-related functions (TradeOrderController.pay, TradePaymentController.pay, AccountGatewayComponent.pay) in the publiccms-trade module. Vendor was notified but did not respond, and no patch has been announced.

Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

A permission control vulnerability in HarmonyOS's manufacturability design module allows local attackers without privileges to read, modify, and degrade system availability through improper access controls. The vulnerability affects HarmonyOS across multiple versions and has a CVSS score of 5.9 (medium severity), with confirmed impacts on confidentiality, integrity, and availability despite the description emphasizing availability impact alone.

Information Disclosure
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

HarmonyOS manufacturability design module contains a permission control vulnerability (CWE-840) that allows local attackers without privileges to read sensitive information and modify system state on affected devices. The vulnerability has a CVSS score of 5.9 with local attack vector and low complexity, affecting confidentiality, integrity, and availability. Patch status and active exploitation status are not confirmed from available vendor advisory data.

Information Disclosure
NVD
EPSS 0% CVSS 5.6
MEDIUM This Month

Permission control vulnerability in Huawei HarmonyOS smart sensing service allows remote attackers to bypass access controls and disclose sensitive information with moderate complexity. The vulnerability affects service confidentiality and integrity across HarmonyOS versions, with CVSS 5.6 (AV:N/AC:H/PR:N/UI:N) indicating network-accessible exploitation requiring non-trivial conditions. No active exploitation in CISA KEV or public exploit code identified at time of analysis.

Information Disclosure
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

A permission control vulnerability in HarmonyOS Contacts allows local attackers without special privileges to access sensitive contact information and affect availability of the contacts application. The vulnerability exists across HarmonyOS versions and can be exploited without user interaction, resulting in information disclosure and potential service disruption.

Information Disclosure
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Information disclosure in Huawei HarmonyOS security control module allows local attackers with user interaction to read sensitive data. The vulnerability stems from improper permission control in the security module, enabling unauthorized access to confidential information without requiring elevated privileges. CVSS 5.5 indicates moderate severity with local attack vector; no KEV status or public exploit confirmed at time of analysis.

Information Disclosure
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy