CWE-668 · Exposure of Resource to Wrong Sphere

720 CVEs classified under CWE-668 (Exposure of Resource to Wrong Sphere). Browse by severity and year.

Top CVEs for CWE-668
CVESeverityScorePublishedSummary
CVE-2026-25725Critical10.02026-02-06Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.js…
CVE-2025-2857Critical10.02025-03-27Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child proces…
CVE-2019-8779Critical10.02019-12-18A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct restrictions. This issue is fixed in iOS…
CVE-2022-43684Critical9.92023-06-13ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. Additional Details …
CVE-2022-24900Critical9.92022-04-29Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to…
CVE-2019-16541Critical9.92019-11-21Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use crede…
CVE-2026-45411Critical9.82026-05-13vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator…
CVE-2026-44009Critical9.82026-05-13vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
CVE-2026-44008Critical9.82026-05-13vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call i…
CVE-2026-20160Critical9.82026-04-01A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the unde…
CVE-2025-15114Critical9.82025-12-30Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML fil…
CVE-2025-55583Critical9.82025-08-28D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endp…
CVE-2024-5660Critical9.82024-12-10Use of Hardware Page Aggregation (HPA) and Stage-1 and/or Stage-2 translation on Cortex-A77, Cortex-A78, Cortex-A78C, Cortex-A78AE, Cortex-A710, Cortex-X1, Cor…
CVE-2024-25153Critical9.82024-03-13A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ director…
CVE-2023-45911Critical9.82023-10-18An issue in WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 allows unauthenticated attackers to login as any user without a password.
CVE-2022-39952Critical9.82023-02-16A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7…
CVE-2022-48198Critical9.82023-01-01The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node…
CVE-2022-32221Critical9.82022-12-05When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIEL…
CVE-2022-26869Critical9.82022-06-02Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vul…
CVE-2022-24074Critical9.82022-03-17Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from the content script itself that could lea…