Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-749 (暴露危险的方法或函数) — Vulnerability Class 119

119 vulnerabilities classified as CWE-749 (暴露危险的方法或函数). AI Chinese analysis included.

CWE-749 represents a critical architectural flaw where an application exposes a dangerous method or function through its API without adequate access controls. This weakness occurs when developers fail to restrict sensitive operations, allowing external actors to invoke functions that should remain internal or privileged. Attackers typically exploit this by directly calling these unrestricted endpoints to bypass intended security logic, potentially leading to unauthorized data access, privilege escalation, or system compromise. The severity depends on the specific function exposed, ranging from information disclosure to complete system takeover. To mitigate this risk, developers must implement strict authentication and authorization checks on all API endpoints. Additionally, adhering to the principle of least privilege ensures that only necessary methods are exposed, while comprehensive input validation and regular security audits help identify and remediate improperly secured interfaces before they can be weaponized by malicious actors.

MITRE CWE Description
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. It can apply to any number of technologies and approaches, such as ActiveX controls, Java functions, IOCTLs, and so on. The exposure can occur in a few different ways: The function/method was never intended to be exposed to outside actors. The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access Control, OtherGain Privileges or Assume Identity, Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Other
Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code.
Mitigations (2)
Architecture and DesignIf you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Architecture and Design, ImplementationIdentify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: accessible to all users restricted to a small set of privileged users prevented from being directly accessible at all Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where ap…
Examples (2)
In the following Java example the method removeDatabase will delete the database with the name specified in the input parameter.
public void removeDatabase(String databaseName) { try { Statement stmt = conn.createStatement(); stmt.execute("DROP DATABASE " + databaseName); } catch (SQLException ex) {...} }
Bad · Java
private void removeDatabase(String databaseName) { try { Statement stmt = conn.createStatement(); stmt.execute("DROP DATABASE " + databaseName); } catch (SQLException ex) {...} }
Good · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2026-25266 Exposed dangerous function in windows host — Snapdragon 5.5 Medium2026-05-04
CVE-2026-5173 Exposed Dangerous Method or Function in GitLab — GitLab 8.5 High2026-04-08
CVE-2026-35488 Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users — recipes 8.1 High2026-04-07
CVE-2026-30957 OneUptime Synthetic Monitor RCE via exposed Playwright browser object — oneuptime 10.0 Critical2026-03-10
CVE-2026-3483 Ivanti Desktop and Server Management 安全漏洞 — Desktop and Server Management 7.8 High2026-03-10
CVE-2026-30921 OneUptime Synthetic Monitor RCE via exposed Playwright browser object — oneuptime 10.0 Critical2026-03-09
CVE-2026-20423 MediaTek Chipsets 安全漏洞 — MediaTek chipset 7.8AIHighAI2026-03-02
CVE-2026-28400 Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint — model-runner 7.6 High2026-02-27
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access — OpenS100 9.6 Critical2026-02-17
CVE-2025-47366 Exposed Dangerous Method or Function in HLOS — Snapdragon 7.1 High2026-02-02
CVE-2025-9611 Microsoft Playwright MCP Server < 0.0.40 DNS Rebinding via Missing Origin Header Validation — Playwright 9.6 -2026-01-07
CVE-2025-14494 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14491 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14489 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14490 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14488 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14497 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14495 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14493 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14496 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14492 RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-59788 Nextcloud 安全漏洞 — Nextcloud 6.4 Medium2025-12-04
CVE-2025-64443 DNS Rebinding vulnerability present when running MCP Gateway in sse or streaming mode — mcp-gateway 8.3AIHighAI2025-12-03
CVE-2025-47353 Exposed Dangerous Method or Function in Automotive Software platform based on QNX — Snapdragon 7.8 High2025-11-04
CVE-2025-34114 OpenBlow Missing Critical Security Headers — OpenBlow 6.1 -2025-07-25
CVE-2025-5823 Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability — Autel MaxiCharger AC Wallbox Commercial 6.5AIMediumAI2025-06-25
CVE-2025-5748 WOLFBOX Level 2 EV Charger LAN OTA Exposed Dangerous Method Remote Code Execution Vulnerability — Level 2 EV Charger 8.0AIHighAI2025-06-06
CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site — webpack-dev-server 5.3 Medium2025-06-03
CVE-2025-48415 Backdoor Functionality via USB Drive in eCharge Hardy Barth cPH2 / cPP2 charging stations — cPH2 / cPP2 charging stations 6.8AIMediumAI2025-05-21
CVE-2025-43003 Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise) — SAP S/4HANA (Private Cloud & On-Premise) 6.4 Medium2025-05-13

Vulnerabilities classified as CWE-749 (暴露危险的方法或函数) represent 119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.