CWE-425: Direct Request ('Forced Browsing')
low-riskThe web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Abstraction: Base
Common Consequences
Confidentiality
→
Read Application Data
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-45195 | 7.5 | 94.1% | Y |
| CVE-2021-26085 | 5.3 | 94.0% | Y |
| CVE-2021-26085 | 5.3 | 94.0% | Y |
| CVE-2024-0204 | 9.8 | 93.0% | — |
| CVE-2024-0204 | 9.8 | 93.0% | — |
| CVE-2017-17736 | 9.8 | 92.6% | — |
| CVE-2018-19207 | 9.8 | 91.9% | — |
| CVE-2019-17503 | 5.3 | 90.2% | — |
| CVE-2022-26159 | 5.3 | 87.9% | — |
| CVE-2021-40875 | 7.5 | 81.1% | — |
21
/ 100
low-risk
Active Threat
20/50 · Moderate
Exploit Availability
1/50 · Minimal