CWE-668 (Exposure of Resource to Wrong Sphere) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2025-15653 | 2026-06-02 | Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise softwar… |
| CVE-2026-46430 | 2026-05-26 | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags… |
| CVE-2026-8958 | 2026-05-19 | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. |
| CVE-2026-46723 | 2026-05-19 | The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data f… |
| CVE-2026-44552 | 2026-05-15 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When tw… |
| CVE-2026-45411 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the re… |
| CVE-2026-44009 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. |
| CVE-2026-44008 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array pro… |
| CVE-2026-42875 | 2026-05-11 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider… |
| CVE-2026-34095 | 2026-05-11 | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php. This issue affects M… |
| CVE-2026-34094 | 2026-05-11 | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.… |
| CVE-2026-44338 | 2026-05-08 | PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any c… |
| CVE-2026-41369 | 2026-04-28 | OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers … |
| CVE-2026-41368 | 2026-04-28 | OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $… |
| CVE-2026-41362 | 2026-04-28 | OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attacker… |
| CVE-2026-6830 | 2026-04-21 | nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next pro… |
| CVE-2026-32690 | 2026-04-18 | Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store… |
| CVE-2026-30912 | 2026-04-18 | In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. … |
| CVE-2025-54502 | 2026-04-16 | Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resultin… |
| CVE-2026-35658 | 2026-04-10 | OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts out… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Relationships |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Relationships |
| 2009-07-22 | CWE Content Team | 1.5 | Critical | Clarified description to include permissions. |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Description, Relationships |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Other_Notes, Theoretical_Notes |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Relationships |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Relationships |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Relationships |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated Relationships |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, Relationships, Relevant_Properties |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Relationships |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated References |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Common_Consequences, Relationships |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Mapping_Notes |