CWE-1287
Improper Validation of Specified Type of Input
Description
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (69)
page 2 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-48851 | Hig | 0.47 | 7.2 | 0.01 | Sep 18, 2025 | Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.A remote code execution is possible due to an improper input validation. This issue affects FLXEON: through 9.3.5. | ||
| CVE-2026-10825 | Hig | 0.46 | — | 0.00 | Jun 16, 2026 | A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device… | ||
| CVE-2024-56908 | Med | 0.44 | 6.8 | 0.01 | Feb 13, 2025 | In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload… | ||
| CVE-2024-6858 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN. | ||
| CVE-2026-29645 | Hig | 0.42 | 7.5 | 0.01 | Apr 20, 2026 | NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings… | ||
| CVE-2026-33806 | Hig | 0.42 | 7.5 | 0.00 | Apr 15, 2026 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression… | ||
| CVE-2024-2105 | — | Med | 0.42 | 6.5 | 0.00 | Dec 10, 2025 | An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. | |
| CVE-2025-40910 | Med | 0.42 | 6.5 | 0.00 | Jun 27, 2025 | Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who… | ||
| CVE-2021-47156 | — | Med | 0.42 | 6.5 | 0.00 | Mar 18, 2024 | The Net::IPAddress::Util module before 5.000 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. | |
| CVE-2026-9521 | Hig | 0.40 | 7.3 | 0.00 | May 26, 2026 | A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the… | ||
| CVE-2026-0802 | Med | 0.39 | 6.0 | 0.00 | May 12, 2026 | An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and… | ||
| CVE-2026-7887 | Med | 0.35 | 6.4 | 0.00 | May 21, 2026 | For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this… | ||
| CVE-2025-40911 | Med | 0.35 | 6.5 | 0.00 | May 27, 2025 | Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can… | ||
| CVE-2025-25186 | Med | 0.35 | 6.5 | 0.01 | Feb 10, 2025 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time… | ||
| CVE-2024-8125 | Med | 0.35 | — | 0.00 | Feb 4, 2025 | Improper Validation of Specified Type of Input vulnerability in OpenText™ Content Management (Extended ECM) allows Parameter Injection. A bad actor with the required OpenText Content Management privileges (not root) could expose the vulnerability to carry out a remote code… | ||
| CVE-2024-47262 | Med | 0.34 | 5.3 | 0.00 | Mar 4, 2025 | Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of… | ||
| CVE-2025-32901 | Med | 0.28 | 4.3 | 0.00 | Dec 5, 2025 | In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | ||
| CVE-2025-9524 | Med | 0.28 | 4.3 | 0.00 | Nov 11, 2025 | The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account. | ||
| CVE-2025-0325 | Med | 0.28 | 4.3 | 0.00 | Jun 2, 2025 | A Guard Tour VAPIX API parameter allowed the use of arbitrary values and can be incorrectly called, allowing an attacker to block access to the guard tour configuration page in the web interface of the Axis device. | ||
| CVE-2025-61672 | Med | 0.27 | — | 0.00 | Oct 8, 2025 | Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation… |
- risk 0.47cvss 7.2epss 0.01
Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.A remote code execution is possible due to an improper input validation. This issue affects FLXEON: through 9.3.5.
- risk 0.46cvss —epss 0.00
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device…
- risk 0.44cvss 6.8epss 0.01
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload…
- risk 0.42cvss 6.5epss 0.00
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
- risk 0.42cvss 7.5epss 0.01
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings…
- risk 0.42cvss 7.5epss 0.00
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression…
- risk 0.42cvss 6.5epss 0.00
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.
- risk 0.42cvss 6.5epss 0.00
Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who…
- risk 0.42cvss 6.5epss 0.00
The Net::IPAddress::Util module before 5.000 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
- risk 0.40cvss 7.3epss 0.00
A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the…
- risk 0.39cvss 6.0epss 0.00
An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and…
- risk 0.35cvss 6.4epss 0.00
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this…
- risk 0.35cvss 6.5epss 0.00
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can…
- risk 0.35cvss 6.5epss 0.01
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time…
- risk 0.35cvss —epss 0.00
Improper Validation of Specified Type of Input vulnerability in OpenText™ Content Management (Extended ECM) allows Parameter Injection. A bad actor with the required OpenText Content Management privileges (not root) could expose the vulnerability to carry out a remote code…
- risk 0.34cvss 5.3epss 0.00
Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of…
- risk 0.28cvss 4.3epss 0.00
In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.
- risk 0.28cvss 4.3epss 0.00
The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account.
- risk 0.28cvss 4.3epss 0.00
A Guard Tour VAPIX API parameter allowed the use of arbitrary values and can be incorrectly called, allowing an attacker to block access to the guard tour configuration page in the web interface of the Axis device.
- risk 0.27cvss —epss 0.00
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation…