CWE-1286
Improper Validation of Syntactic Correctness of Input
Description
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-66 · CAPEC-676
CVEs mapped to this weakness (49)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25513 | 0.00 | — | 0.00 | Feb 4, 2026 | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort… | |||
| CVE-2025-67492 | 0.00 | — | 0.00 | Dec 16, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this… | |||
| CVE-2025-10954 | 0.00 | — | 0.00 | Sep 27, 2025 | Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out… | |||
| CVE-2025-22868 | — | 0.00 | — | 0.01 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2024-34537 | 0.00 | — | 0.01 | Oct 28, 2024 | TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS,… | |||
| CVE-2024-6763 | 0.00 | — | 0.01 | Oct 14, 2024 | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs… | |||
| CVE-2024-6284 | — | 0.00 | — | 0.00 | Jul 3, 2024 | In https://github.com/google/nftables IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which does not work as intended (might block or not block the desired addresses). This issue affects: https://pkg.go.dev/github.com/google/nftabl… | ||
| CVE-2024-29041 | 0.00 | — | 0.01 | Mar 25, 2024 | Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL… | |||
| CVE-2022-1941 | — | 0.00 | — | 0.01 | Sep 22, 2022 | A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python… |
- CVE-2026-25513Feb 4, 2026risk 0.00cvss —epss 0.00
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort…
- CVE-2025-67492Dec 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this…
- CVE-2025-10954Sep 27, 2025risk 0.00cvss —epss 0.00
Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out…
- CVE-2025-22868Feb 26, 2025risk 0.00cvss —epss 0.01
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2024-34537Oct 28, 2024risk 0.00cvss —epss 0.01
TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the bookmark toolbar of the backend user interface. The fixed versions are 10.4.46 ELTS,…
- CVE-2024-6763Oct 14, 2024risk 0.00cvss —epss 0.01
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs…
- CVE-2024-6284Jul 3, 2024risk 0.00cvss —epss 0.00
In https://github.com/google/nftables IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which does not work as intended (might block or not block the desired addresses). This issue affects: https://pkg.go.dev/github.com/google/nftabl…
- CVE-2024-29041Mar 25, 2024risk 0.00cvss —epss 0.01
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL…
- CVE-2022-1941Sep 22, 2022risk 0.00cvss —epss 0.01
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python…