CWE-669 · Incorrect Resource Transfer Between Spheres
56 CVEs classified under CWE-669 (Incorrect Resource Transfer Between Spheres). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-5062 | Critical | 9.8 | 2016-09-29 | The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading of Java MBeans, which allows remote attackers to execute a… |
CVE-2025-41660 | High | 8.8 | 2026-03-24 | A low-privileged remote attacker may be able to replace the boot application of the CODESYS Control runtime system, enabling unauthorized code execution. |
CVE-2026-25253 | High | 8.8 | 2026-02-01 | OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without promp… |
CVE-2025-41645 | High | 8.6 | 2025-05-13 | An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake. |
CVE-2025-34158 | High | 8.5 | 2025-08-21 | Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the… |
CVE-2026-24708 | High | 8.2 | 2026-02-18 | An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk… |
CVE-2022-30236 | High | 8.2 | 2022-06-02 | A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could allow unauthorized access when an attacker uses cross-domain attacks. Af… |
CVE-2025-62775 | High | 8.0 | 2025-10-22 | Mercku M6a devices through 2.1.0 allow root TELNET logins via the web admin password. |
CVE-2026-31431 | High | 7.8 | 2026-04-22 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b09… |
CVE-2024-38519 | High | 7.8 | 2024-07-02 | `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downl… |
CVE-2026-42997 | High | 7.7 | 2026-05-05 | An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpo… |
CVE-2025-59363 | High | 7.7 | 2025-09-14 | In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when a… |
CVE-2022-46173 | High | 7.2 | 2022-12-28 | Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when tryi… |
CVE-2026-48846 | Medium | 6.5 | 2026-05-25 | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail m… |
CVE-2026-48845 | Medium | 6.5 | 2026-05-25 | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinati… |
CVE-2026-41525 | Medium | 6.5 | 2026-04-28 | KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additiona… |
CVE-2026-40225 | Medium | 6.4 | 2026-04-10 | In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. |
CVE-2026-33265 | Medium | 6.3 | 2026-03-18 | In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API. |
CVE-2026-41030 | Medium | 6.2 | 2026-04-16 | In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges. |
CVE-2024-29018 | Medium | 5.9 | 2024-03-20 | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes… |