CWE-1287
Improper Validation of Specified Type of Input
Description
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (69)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-52883 | Med | 0.27 | 5.3 | 0.00 | Jun 24, 2025 | Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the… | ||
| CVE-2025-8556 | Low | 0.24 | 3.7 | 0.00 | Aug 6, 2025 | A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. | ||
| CVE-2026-47675 | Med | 0.21 | 4.3 | 0.00 | May 28, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same… | ||
| CVE-2026-4646 | Med | 0.21 | 4.3 | 0.00 | May 22, 2026 | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint..… | ||
| CVE-2025-1057 | Med | 0.21 | 4.3 | 0.00 | Mar 15, 2025 | A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data… | ||
| CVE-2025-24335 | Low | 0.13 | 2.0 | 0.00 | Jul 2, 2025 | Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service. No practical exploit has been detected for… | ||
| CVE-2026-54235 | 0.00 | — | 0.00 | Jun 17, 2026 | ## Summary All temperature validation gates use comparison operators (`<`, `>`), which silently evaluate to `False` for `NaN` and for positive `Infinity` in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce… | |||
| CVE-2026-2092 | — | 0.00 | — | 0.00 | Mar 18, 2026 | A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a… | ||
| CVE-2026-25783 | 0.00 | — | 0.00 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586 | |||
| CVE-2026-29788 | — | 0.00 | — | 0.00 | Mar 6, 2026 | TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.… | ||
| CVE-2025-12689 | 0.00 | — | 0.00 | Dec 17, 2025 | Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | |||
| CVE-2025-13352 | 0.00 | — | 0.00 | Dec 17, 2025 | Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted… | |||
| CVE-2025-60633 | 0.00 | — | 0.00 | Nov 24, 2025 | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. | |||
| CVE-2025-54525 | 0.00 | — | 0.00 | Aug 11, 2025 | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body. | |||
| CVE-2025-53652 | 0.00 | — | 0.01 | Jul 9, 2025 | Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters. | |||
| CVE-2025-46342 | 0.00 | — | 0.01 | Apr 30, 2025 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due… | |||
| CVE-2025-41395 | 0.00 | — | 0.00 | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and… | |||
| CVE-2025-32442 | 0.00 | — | 0.01 | Apr 18, 2025 | Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_… | |||
| CVE-2025-24804 | 0.00 | — | 0.00 | Feb 5, 2025 | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z,… | |||
| CVE-2025-20621 | 0.00 | — | 0.00 | Jan 16, 2025 | Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post… |
- risk 0.27cvss 5.3epss 0.00
Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the…
- risk 0.24cvss 3.7epss 0.00
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
- risk 0.21cvss 4.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same…
- risk 0.21cvss 4.3epss 0.00
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint..…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data…
- risk 0.13cvss 2.0epss 0.00
Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service. No practical exploit has been detected for…
- CVE-2026-54235Jun 17, 2026risk 0.00cvss —epss 0.00
## Summary All temperature validation gates use comparison operators (`<`, `>`), which silently evaluate to `False` for `NaN` and for positive `Infinity` in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce…
- CVE-2026-2092Mar 18, 2026risk 0.00cvss —epss 0.00
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a…
- CVE-2026-25783Mar 16, 2026risk 0.00cvss —epss 0.00
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
- CVE-2026-29788Mar 6, 2026risk 0.00cvss —epss 0.00
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.…
- CVE-2025-12689Dec 17, 2025risk 0.00cvss —epss 0.00
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
- CVE-2025-13352Dec 17, 2025risk 0.00cvss —epss 0.00
Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted…
- CVE-2025-60633Nov 24, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.
- CVE-2025-54525Aug 11, 2025risk 0.00cvss —epss 0.00
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body.
- CVE-2025-53652Jul 9, 2025risk 0.00cvss —epss 0.01
Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.
- CVE-2025-46342Apr 30, 2025risk 0.00cvss —epss 0.01
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.13.5 and 1.14.0, it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing due…
- CVE-2025-41395Apr 24, 2025risk 0.00cvss —epss 0.00
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and…
- CVE-2025-32442Apr 18, 2025risk 0.00cvss —epss 0.01
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_…
- CVE-2025-24804Feb 5, 2025risk 0.00cvss —epss 0.00
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z,…
- CVE-2025-20621Jan 16, 2025risk 0.00cvss —epss 0.00
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post…