CWE•Base•Incomplete•20 recent CVEs
CWE-425Direct Request ('Forced Browsing')
Description
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Common consequences
- Confidentiality,Integrity,Availability,Access Control→Read Application Data,Modify Application Data,Execute Unauthorized Code or Commands,Gain Privileges or Assume Identity
Potential mitigations
- Architecture and Design,OperationApply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
- Architecture and DesignConsider using MVC based frameworks such as Struts.
Related CWEs
CWE-862Missing AuthorizationCWE-862Missing AuthorizationCWE-288Authentication Bypass Using an Alternate Path or ChannelCWE-424Improper Protection of Alternate PathCWE-471Modification of Assumed-Immutable Data (MAID)CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Recent CVEs classified under this CWE
CVE-2026-135335.32026-06-29CVE-2026-105217.22026-06-23CVE-2026-96102.32026-06-22CVE-2026-340282026-06-15CVE-2026-119864.92026-06-11CVE-2026-82055.32026-05-21CVE-2026-75005.42026-04-30CVE-2026-350298.82026-04-06CVE-2025-153817.12026-03-27CVE-2026-49005.32026-03-26CVE-2026-332177.12026-03-25CVE-2026-45325.32026-03-22CVE-2025-155872026-03-16CVE-2026-256797.52026-03-06CVE-2025-520249.42026-01-23CVE-2025-151533.72025-12-28CVE-2025-146973.72025-12-15CVE-2025-112803.72025-10-05CVE-2025-102873.12025-09-12CVE-2017-24866.52017-04-02