Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-669 (在范围间的资源转移不正确) — Vulnerability Class 45

45 vulnerabilities classified as CWE-669 (在范围间的资源转移不正确). AI Chinese analysis included.

CWE-669 represents a critical architectural weakness where a system fails to properly manage the transfer of resources or behaviors between distinct security spheres, such as moving data from an untrusted network zone to a trusted internal environment. Attackers typically exploit this flaw by manipulating the context or metadata during the transition, thereby gaining unintended control over the resource or executing malicious code within a higher-privilege domain. This often occurs when boundary checks are insufficient or when trust assumptions are incorrectly applied across zones. To mitigate this risk, developers must implement rigorous validation and sanitization protocols at every sphere boundary. By strictly enforcing access controls and verifying the integrity of transferred data, engineers can prevent unauthorized privilege escalation and ensure that resources remain confined to their intended operational contexts, effectively neutralizing the potential for cross-sphere exploitation.

MITRE CWE Description
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data, Unexpected State
Examples (2)
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
public class FileUploadServlet extends HttpServlet { ... protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String contentType = request.getContentType(); // the starting position of the boundary header int ind = contentType.indexOf("boundary="); String boundary = contentType.substring(ind+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value // verify that content type is multipart form data i
Bad · Java
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
//assume the password is already encrypted, avoiding CWE-312 function authenticate($username,$password){ include("http://external.example.com/dbInfo.php"); //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); $query = 'Select * from users where username='.$username.' And password='.$password; $result = mysql_query($query); if(mysql_numrows($result) == 1){ mysql_close(); return true; } else{ mysql_close(); return false; } }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-44599 Tor 安全漏洞 — Tor 3.7 Low2026-05-07
CVE-2026-42997 OpenStack Ironic 安全漏洞 — Ironic 7.7 High2026-05-05
CVE-2026-40552 Remote Code Execution in mpGabinet — mpGabinet 8.0AIHighAI2026-04-28
CVE-2026-41525 Dolphin 安全漏洞 — Dolphin 6.5 Medium2026-04-28
CVE-2026-41030 DesktopEditors 安全漏洞 — ONLYOFFICE DesktopEditors 6.2 Medium2026-04-16
CVE-2026-40228 systemd 安全漏洞 — systemd 2.9 Low2026-04-10
CVE-2026-40225 systemd 安全漏洞 — systemd 6.4 Medium2026-04-10
CVE-2026-35545 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35544 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35543 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35542 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35540 Roundcube Webmail 安全漏洞 — Webmail 5.4 Medium2026-04-03
CVE-2025-41660 CODESYS Control Boot Application Replacement Enables Code Execution — CODESYS Control RTE (SL) 8.8 High2026-03-24
CVE-2026-33265 LibreChat 安全漏洞 — LibreChat 6.3 Medium2026-03-18
CVE-2026-32772 GNU Inetutils 安全漏洞 — inetutils 3.4 Low2026-03-13
CVE-2026-24708 OpenStack Nova 安全漏洞 — Nova 8.2 High2026-02-18
CVE-2026-25253 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-02-01
CVE-2025-67895 Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2 — Apache Airflow Providers Edge3 8.8AIHighAI2025-12-17
CVE-2025-62775 Mercku M6a 安全漏洞 — M6a 8.0 High2025-10-22
CVE-2025-62646 Restaurant Brands International assistant platform 安全漏洞 — assistant platform 5.0 Medium2025-10-17
CVE-2024-31573 XMLUnit 安全漏洞 — XMLUnit for Java 4.0 Medium2025-10-17
CVE-2025-62292 SonarQube 安全漏洞 — SonarQube 4.3 Medium2025-10-10
CVE-2025-56675 EKEN video doorbell T6 安全漏洞 — video doorbell T6 3.5 Low2025-09-30
CVE-2025-59691 PureVPN 安全漏洞 — PureVPN 3.7 Low2025-09-18
CVE-2025-59692 PureVPN 安全漏洞 — PureVPN 3.7 Low2025-09-18
CVE-2025-59453 Click Studios Passwordstate 安全漏洞 — Passwordstate 3.2 Low2025-09-16
CVE-2025-59378 GNU Guix 安全漏洞 — Guix 5.7 Medium2025-09-15
CVE-2025-59363 One Identity OneLogin 安全漏洞 — OneLogin 7.7 High2025-09-14
CVE-2025-34158 Plex Media Server 安全漏洞 — Media Server 8.5 High2025-08-21
CVE-2025-54956 gh 安全漏洞 — gh 3.2 Low2025-08-03

Vulnerabilities classified as CWE-669 (在范围间的资源转移不正确) represent 45 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.