VYPR

CWE-1286

Improper Validation of Syntactic Correctness of Input

BaseIncomplete

Description

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-66 · CAPEC-676

CVEs mapped to this weakness (49)

page 2 of 3
  • CVE-2026-40198HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.00

    Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and…

  • CVE-2026-21527MedFeb 10, 2026
    risk 0.42cvss 6.5epss 0.09

    User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-13033HigNov 14, 2025
    risk 0.42cvss 7.5epss 0.01

    A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to…

  • CVE-2025-11573HigOct 9, 2025
    risk 0.42cvss 7.5epss 0.00

    An infinite loop issue in Amazon.IonDotnet library versions <v1.3.2 may allow a threat actor to cause a denial of service through a specially crafted text input. To mitigate this issue, users should upgrade to version v1.3.2. As of August 20, 2025, this library has been…

  • CVE-2025-24347MedApr 30, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request.

  • CVE-2025-24812MedFeb 11, 2025
    risk 0.42cvss 6.5epss 0.01

    A vulnerability has been identified in SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0) (All versions < V4.7), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0) (All versions < V4.7), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0) (All versions < V4.7),…

  • CVE-2024-6173MedSep 10, 2024
    risk 0.42cvss 6.5epss 0.00

    51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released…

  • CVE-2025-24345MedApr 30, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability in the “Hosts” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the “hosts” file in an unintended manner via a crafted HTTP request.

  • CVE-2025-46419MedApr 24, 2025
    risk 0.38cvss 5.9epss 0.00

    Westermo WeOS 5 through 5.23.0 allows a reboot via a malformed ESP packet.

  • CVE-2025-25007MedAug 12, 2025
    risk 0.35cvss 5.3epss 0.01

    Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-24348MedApr 30, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request.

  • CVE-2023-27043MedApr 19, 2023
    risk 0.34cvss 5.3epss 0.03

    The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which…

  • CVE-2024-8772MedNov 26, 2024
    risk 0.28cvss 4.3epss 0.00

    51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API managedoverlayimages.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can…

  • CVE-2021-4479MedJun 2, 2026
    risk 0.26cvss 4.0epss 0.00

    Dräger Atlan A350 versions 1.00 up to and including 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted non-Medibus-compliant data through the Medibus interface. Attackers can transmit…

  • CVE-2019-25723MedJun 2, 2026
    risk 0.26cvss 4.0epss 0.00

    Dräger Perseus A500 software versions 2.00 through 2.02 contains an improper input handling vulnerability that allows external attackers to cause a denial of service by sending specifically crafted non-Medibus-compliant data through the Medibus interface. Attackers can overload…

  • CVE-2026-34835MedApr 2, 2026
    risk 0.24cvss 4.8epss 0.00

    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and…

  • CVE-2023-6950LowApr 2, 2024
    risk 0.20cvss 3.0epss 0.00

    An Improper Input Validation vulnerability affecting the FTP service running on the DJI Mavic Mini 3 Pro could allow an attacker to craft a malicious packet containing a malformed path provided to the FTP SIZE command that leads to a denial-of-service attack of the FTP service…

  • CVE-2026-10099MedMay 29, 2026
    risk 0.19cvss 4.0epss 0.00

    XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking…

  • CVE-2026-55767Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact `CookieJar` incorrectly accepts cookies with a dot-only `Domain` attribute, such as `Domain=.`, `Domain=..`, `Domain=...`, and whitespace-padded variants such as `Domain= . `. In affected versions, `SetCookie::matchesDomain()` removes leading dots from the cookie…

  • CVE-2025-13327Feb 27, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an…