Common Weakness Enumeration

CWE-489

Allowed

Active Debug Code

Abstraction: Base · Status: Draft

The product is released with debugging code still enabled or active.

141 vulnerabilities reference this CWE, most recent first.

GHSA-G8QV-J323-HJ3F

Vulnerability from github – Published: 2022-11-09 19:02 – Updated: 2022-11-10 19:01
VLAI
Details

A leftover debug code vulnerability exists in the console nvram functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A leftover debug code vulnerability exists in the console nvram functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability.",
  "id": "GHSA-g8qv-j323-hj3f",
  "modified": "2022-11-10T19:01:08Z",
  "published": "2022-11-09T19:02:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29481"
    },
    {
      "type": "WEB",
      "url": "https://inhandnetworks.com/upload/attachment/202210/25/InHand-PSA-2022-02.pdf"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1518"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9M4-VFQ7-W439

Vulnerability from github – Published: 2024-07-03 21:39 – Updated: 2024-07-08 15:31
VLAI
Details

Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-03T19:15:03Z",
    "severity": "HIGH"
  },
  "details": "Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.",
  "id": "GHSA-g9m4-vfq7-w439",
  "modified": "2024-07-08T15:31:55Z",
  "published": "2024-07-03T21:39:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29511"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"
    },
    {
      "type": "WEB",
      "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=3d4cfdc1a44"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJJ6-9XHJ-MR9J

Vulnerability from github – Published: 2025-08-06 09:30 – Updated: 2025-08-06 09:30
VLAI
Details

Information disclosure while capturing logs as eSE debug messages are logged.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T08:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Information disclosure while capturing logs as eSE debug messages are logged.",
  "id": "GHSA-gjj6-9xhj-mr9j",
  "modified": "2025-08-06T09:30:36Z",
  "published": "2025-08-06T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21472"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H538-8M3C-JG9C

Vulnerability from github – Published: 2023-10-11 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

A leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-11T16:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "A leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.",
  "id": "GHSA-h538-8m3c-jg9c",
  "modified": "2025-11-04T21:30:43Z",
  "published": "2023-10-11T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32645"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1752"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1752"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HX98-FGMP-472P

Vulnerability from github – Published: 2024-07-17 09:30 – Updated: 2024-08-01 15:32
VLAI
Details

FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-17T09:15:03Z",
    "severity": "HIGH"
  },
  "details": "FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed.",
  "id": "GHSA-hx98-fgmp-472p",
  "modified": "2024-08-01T15:32:05Z",
  "published": "2024-07-17T09:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36475"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU96424864"
    },
    {
      "type": "WEB",
      "url": "https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html"
    },
    {
      "type": "WEB",
      "url": "https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J26P-J946-5HV2

Vulnerability from github – Published: 2026-07-09 15:32 – Updated: 2026-07-09 15:32
VLAI
Details

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains a vulnerability in its firmware update mechanism's signature validation process. This could allow an attacker to install malicious firmware, leading to persistent code execution and system compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T15:16:36Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions \u003c V26.20), SICORE Base system (All versions \u003c V26.20.0). The affected application contains a vulnerability in its firmware update mechanism\u0027s signature validation process. This could allow an attacker to install malicious firmware, leading to persistent code execution and system compromise.",
  "id": "GHSA-j26p-j946-5hv2",
  "modified": "2026-07-09T15:32:35Z",
  "published": "2026-07-09T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54799"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-229470.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J956-V3JJ-36F8

Vulnerability from github – Published: 2022-11-09 19:02 – Updated: 2022-11-10 19:01
VLAI
Details

A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.",
  "id": "GHSA-j956-v3jj-36f8",
  "modified": "2022-11-10T19:01:08Z",
  "published": "2022-11-09T19:02:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28689"
    },
    {
      "type": "WEB",
      "url": "https://inhandnetworks.com/upload/attachment/202210/25/InHand-PSA-2022-02.pdf"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMFC-HFJQ-PXCP

Vulnerability from github – Published: 2026-05-29 22:16 – Updated: 2026-05-29 22:16
VLAI
Summary
stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation
Details

Impact

Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and explicitly disabled mTLS while binding the node to a non-loopback URL.

Patches

Patched in 0.9.0a2. The node now refuses this configuration unless insecure federation is limited to loopback-only local development.

Workarounds

Before upgrading, operators should enable mTLS for federation or ensure federation endpoints are bound only to loopback/private test environments and are not reachable by untrusted networks.

Upgrade

Upgrade to the patched release:

pip install --upgrade --pre stigmem-node

If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:

pip install --upgrade --pre 'stigmem[node]'

Resources

  • Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
  • Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
  • Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "stigmem-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0a2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-489"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:16:27Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nStigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and explicitly disabled mTLS while binding the node to a non-loopback URL.\n\n### Patches\nPatched in 0.9.0a2. The node now refuses this configuration unless insecure federation is limited to loopback-only local development.\n\n### Workarounds\nBefore upgrading, operators should enable mTLS for federation or ensure federation endpoints are bound only to loopback/private test environments and are not reachable by untrusted networks.\n\n### Upgrade\nUpgrade to the patched release:\n\n```bash\npip install --upgrade --pre stigmem-node\n```\n\nIf developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:\n\n```bash\npip install --upgrade --pre \u0027stigmem[node]\u0027\n```\n\n### Resources\n- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2\n- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35\n- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md",
  "id": "GHSA-jmfc-hfjq-pxcp",
  "modified": "2026-05-29T22:16:27Z",
  "published": "2026-05-29T22:16:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-jmfc-hfjq-pxcp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eidetic-labs/stigmem"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "stigmem-node\u0027s federation insecure transport settings may allow non-loopback cleartext federation"
}

GHSA-JVHV-C9PJ-767G

Vulnerability from github – Published: 2022-11-09 19:02 – Updated: 2022-11-10 19:01
VLAI
Details

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.",
  "id": "GHSA-jvhv-c9pj-767g",
  "modified": "2022-11-10T19:01:10Z",
  "published": "2022-11-09T19:02:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29888"
    },
    {
      "type": "WEB",
      "url": "https://inhandnetworks.com/upload/attachment/202210/25/InHand-PSA-2022-02.pdf"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1522"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JW99-297G-63F5

Vulnerability from github – Published: 2026-07-09 15:32 – Updated: 2026-07-09 15:32
VLAI
Details

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application includes a debugging interface that is accessible through HTTP endpoints. This could allow an authenticated attacker to disrupt the system by crashing the web process causing denial of service conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-489"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T15:16:36Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions \u003c V26.20), SICORE Base system (All versions \u003c V26.20.0). The affected application includes a debugging interface that is accessible through HTTP endpoints. This could allow an authenticated attacker to disrupt the system by crashing the web process causing denial of service conditions.",
  "id": "GHSA-jw99-297g-63f5",
  "modified": "2026-07-09T15:32:35Z",
  "published": "2026-07-09T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54798"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-229470.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Build and Compilation Distribution

Remove debug code before deploying the application.

CAPEC-121: Exploit Non-Production Interfaces

An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.

CAPEC-661: Root/Jailbreak Detection Evasion via Debugging

An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.