CWE-1287
Improper Validation of Specified Type of Input
BaseIncomplete
Description
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (33)
page 1 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-9042 | Hig | 0.57 | — | 0.00 | Aug 14, 2025 | A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle. | |
| CVE-2025-9041 | Hig | 0.57 | — | 0.00 | Aug 14, 2025 | A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle. | |
| CVE-2025-20251 | Hig | 0.55 | 8.5 | 0.00 | Aug 14, 2025 | A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to create or delete arbitrary files on the underlying operating system. If critical system files are manipulated, new Remote Access SSL VPN sessions could be denied and existing sessions could be dropped, causing a denial of service (DoS) condition. An exploited device requires a manual reboot to recover. This vulnerability is due to insufficient input validation when processing HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to create or delete files on the underlying operating system, which could cause the Remote Access SSL VPN service to become unresponsive. To exploit this vulnerability, the attacker must be authenticated as a VPN user of the affected device. | |
| CVE-2025-42929 | Hig | 0.53 | 8.1 | 0.00 | Sep 9, 2025 | Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database. | |
| CVE-2025-42916 | Hig | 0.53 | 8.1 | 0.00 | Sep 9, 2025 | Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database but no impact on confidentiality. | |
| CVE-2025-24876 | Hig | 0.53 | 8.1 | 0.00 | Feb 11, 2025 | The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application | |
| CVE-2025-20327 | Hig | 0.50 | 7.7 | 0.00 | Sep 24, 2025 | A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted URL in an HTTP request. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | |
| CVE-2025-20244 | Hig | 0.50 | 7.7 | 0.00 | Aug 14, 2025 | A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow a remote attacker that is authenticated as a VPN user to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header field value. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted Remote Access SSL VPN service on an affected device. A successful exploit could allow the attacker to cause a DoS condition, which would cause the affected device to reload. | |
| CVE-2026-20119 | Hig | 0.49 | 7.5 | 0.00 | Feb 4, 2026 | A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | |
| CVE-2025-41729 | Hig | 0.49 | 7.5 | 0.00 | Nov 24, 2025 | An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service. | |
| CVE-2025-41650 | Hig | 0.49 | 7.5 | 0.00 | May 27, 2025 | An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service. | |
| CVE-2024-8058 | Hig | 0.49 | 7.6 | 0.00 | Dec 16, 2024 | An improper parsing vulnerability was reported in the FileZ client that could allow a crafted file in the FileZ directory to read arbitrary files on the device due to URL preloading. | |
| CVE-2024-9404 | Hig | 0.49 | 7.5 | 0.00 | Dec 4, 2024 | This vulnerability could lead to denial-of-service or service crashes. Exploitation of the moxa_cmd service, because of insufficient input validation, allows attackers to disrupt operations. If exposed to public networks, the vulnerability poses a significant remote threat, potentially allowing attackers to shut down affected systems. | |
| CVE-2024-8403 | Hig | 0.49 | 7.5 | 0.01 | Nov 19, 2024 | Improper Validation of Specified Type of Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET versions 1.100 to 1.200 and FX5-ENET/IP versions 1.100 to 1.104 allows a remote attacker to cause a Denial of Service condition in Ethernet communication of the products by sending specially crafted SLMP packets. | |
| CVE-2025-10207 | Hig | 0.47 | 7.2 | 0.00 | Sep 18, 2025 | Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. | |
| CVE-2024-48851 | Hig | 0.47 | 7.2 | 0.01 | Sep 18, 2025 | Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.A remote code execution is possible due to an improper input validation. This issue affects FLXEON: through 9.3.5. | |
| CVE-2024-56908 | Med | 0.44 | 6.8 | 0.00 | Feb 13, 2025 | In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload arbitrary files to directories of their choice, potentially leading to remote code execution or server compromise. | |
| CVE-2026-29645 | Hig | 0.42 | 7.5 | 0.00 | Apr 20, 2026 | NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing. | |
| CVE-2026-33806 | Hig | 0.42 | 7.5 | 0.00 | Apr 15, 2026 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version. | |
| CVE-2024-2105 | Med | 0.42 | 6.5 | 0.00 | Dec 10, 2025 | An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. |