CWE-425 (直接请求(强制性浏览)) — Vulnerability Class 76

76 vulnerabilities classified as CWE-425 (直接请求(强制性浏览)). AI Chinese analysis included.

CWE-425, Direct Request or 'Forced Browsing,' is a critical access control weakness where applications fail to enforce proper authorization on restricted resources. Attackers typically exploit this vulnerability by manually guessing or enumerating valid Uniform Resource Locators (URLs) to access sensitive files, scripts, or administrative interfaces that should remain hidden from unauthorized users. This often occurs when developers rely solely on client-side restrictions or assume that obscure file paths provide sufficient security. To prevent forced browsing, developers must implement robust server-side access controls that validate user permissions for every request, regardless of the resource’s visibility or naming convention. Additionally, employing comprehensive logging and monitoring helps detect enumeration attempts, while strict adherence to the principle of least privilege ensures that users only access data necessary for their specific roles, effectively neutralizing the threat of unauthorized direct requests.

MITRE CWE Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Common Consequences (1)

Confidentiality, Integrity, Availability, Access ControlRead Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Mitigations (2)

Architecture and Design, OperationApply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Architecture and DesignConsider using MVC based frameworks such as Struts.

Examples (1)

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

http://somesite.com/someapplication/admin.jsp

Attack · JSP

CVE ID	Title	CVSS	Severity	Published
CVE-2026-7500	Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled — Red Hat Build of Keycloak	5.4	Medium	2026-04-30
CVE-2024-58343	Vision Helpdesk 安全漏洞 — Helpdesk	4.3	Medium	2026-04-16
CVE-2025-15587	Credentials exposure in tinycontrol devices — Lan Kontroler v3.5	8.1^AI	High^AI	2026-03-16
CVE-2026-1978	kalyan02 NanoCMS User Information pagesdata.txt direct request — NanoCMS	5.3	Medium	2026-02-06
CVE-2026-0790	ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability — 8180 IP Audio Alerter	7.5	-	2026-01-23
CVE-2025-67844	Mintlify 安全漏洞 — Mintlify Platform	5.0	Medium	2025-12-19
CVE-2025-65011	Unauthorized Access to files in WODESYS WD-R608U router — WD-R608U	7.5^AI	High^AI	2025-12-18
CVE-2025-26381	OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems) — OpenBlue Workplace (formerly FM Systems)	7.5^AI	High^AI	2025-12-17
CVE-2025-57823	Fortinet FortiAuthenticator 安全漏洞 — FortiAuthenticator	2.6	Low	2025-12-09
CVE-2025-6195	Direct Request ('Forced Browsing') in GitLab — GitLab	4.3	Medium	2025-11-26
CVE-2025-62778	Frappe Learning allowed students to access the Quiz Form via direct URL — lms	5.3^AI	Medium^AI	2025-10-27
CVE-2025-11280	Frappe LMS Assignment Picture files direct request — LMS	3.7	Low	2025-10-05
CVE-2025-59797	Profession Fit 安全漏洞 — Profession Fit	5.8	Medium	2025-09-22
CVE-2025-10287	roncoo roncoo-pay orderQuery direct request — roncoo-pay	3.1	Low	2025-09-12
CVE-2025-31971	AIML Solutions for HCL SX is susceptible to a URL validation vulnerability — AIML Solutions for SX	5.1	Medium	2025-08-28
CVE-2025-55736	flaskBlog allows arbitrary privilege escalation — FlaskBlog	8.8^AI	High^AI	2025-08-19
CVE-2025-41404	iroha Board 安全漏洞 — iroha Board	4.3^AI	Medium^AI	2025-06-26
CVE-2025-53073	Sentry 安全漏洞 — Sentry	4.2	Medium	2025-06-24
CVE-2025-52920	InnoShop 安全漏洞 — InnoShop	6.4	Medium	2025-06-23
CVE-2025-6352	code-projects Automated Voting System Backend vote.php direct request — Automated Voting System	5.3	Medium	2025-06-20
CVE-2025-48207	TYPO3 安全漏洞 — reint downloadmanager extension	8.6	High	2025-05-21
CVE-2025-48202	TYPO3 femanager 安全漏洞 — femanager extension	5.3	Medium	2025-05-21
CVE-2025-48201	TYPO3 安全漏洞 — ns backup extension	8.6	High	2025-05-21
CVE-2025-48205	TYPO3 安全漏洞 — sr feuser register extension	8.6	High	2025-05-21
CVE-2025-47226	Snipe-IT 安全漏洞 — Snipe-IT	5.0	Medium	2025-05-02
CVE-2025-46690	Ververica Platform 安全漏洞 — Ververica Platform	5.0	Medium	2025-04-27
CVE-2025-2595	Forced Browsing Vulnerability in CODESYS Visualization — CODESYS Visualization	5.3	Medium	2025-04-23
CVE-2025-27581	NIH BRICS 安全漏洞 — BRICS	4.3	Medium	2025-04-23
CVE-2025-32367	Oz Forensics Oz Liveness 安全漏洞 — face recognition application	8.6	High	2025-04-11
CVE-2025-26689	Inaba Denki Sangyo CHOCO TEI WATCHER mini 安全漏洞 — CHOCO TEI WATCHER mini (IB-MCT001)	9.8	Critical	2025-03-31

Vulnerabilities classified as CWE-425 (直接请求(强制性浏览)) represent 76 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-425 (直接请求(强制性浏览)) — Vulnerability Class 76