CWE-749— Exposed Dangerous Method or Function
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.— MITRE CWE catalog
166 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-749page 4 of 4
- CVE-2026-4051HIGHCVSS 7.2EG 7.22026-05-26
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
- CVE-2026-41283CRITICALCVSS 9.9EG 9.92026-06-04
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
- CVE-2026-44698HIGHCVSS 8.3EG 8.32026-05-29
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in…
- CVE-2026-44798HIGHCVSS 7.1EG 7.12026-05-28
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which wa…
- CVE-2026-44836MEDIUMCVSS 6.5EG 6.52026-05-26
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not …
- CVE-2026-45670MEDIUMCVSS 5.4EG 5.42026-05-19
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source …
- CVE-2026-47899HIGHCVSS 8.7EG 8.72026-06-09
The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin),…
- CVE-2026-48783MEDIUMCVSS 4.8EG 4.82026-06-17
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's clai…
- CVE-2026-49993MEDIUMCVSS 5.7EG 5.72026-06-12
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code…
- CVE-2026-5173HIGHCVSS 8.5EG 8.52026-04-08
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke unintended server-side methods through we…
- CVE-2026-54753MEDIUMCVSS 5.9EG 5.92026-06-26
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer v…
- CVE-2026-55454CRITICALCVSS 9.9EG 9.92026-06-24
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While thi…
- CVE-2026-6402MEDIUMCVSS 5.3EG 5.32026-05-12
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetc…
- CVE-2026-7516MEDIUMCVSS 4.3EG 4.32026-06-10
A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents.
- CVE-2026-8108HIGHCVSS 7.8EG 7.82026-05-12
The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
- CVE-2026-8109MEDIUMCVSS 6.5EG 6.52026-05-12
An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.
Map vulnerabilities like CWE-749 to your infrastructure
EchelonGraph correlates every CVE — across CWE-749 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →