VYPR

CWE-1289

Improper Validation of Unsafe Equivalence in Input

BaseIncomplete

Description

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (20)

  • CVE-2026-50090CriJun 12, 2026
    risk 0.60cvss 9.3epss 0.00

    The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of…

  • CVE-2026-33729CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests…

  • CVE-2026-39821CriMay 22, 2026
    risk 0.55cvss 9.6epss 0.00

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in…

  • CVE-2026-35039CriApr 6, 2026
    risk 0.52cvss 9.1epss 0.00

    fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during…

  • CVE-2026-33496HigMar 26, 2026
    risk 0.46cvss 8.1epss 0.00

    ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator…

  • CVE-2026-41239MedApr 23, 2026
    risk 0.44cvss 6.8epss 0.00

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or…

  • CVE-2026-49942HigJun 4, 2026
    risk 0.40cvss 7.3epss 0.00

    Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. …

  • CVE-2026-42462HigJun 10, 2026
    risk 0.39cvss 7.0epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it…

  • CVE-2026-39972HigApr 9, 2026
    risk 0.39cvss epss 0.00

    Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates…

  • CVE-2026-41213MedApr 23, 2026
    risk 0.38cvss 5.9epss 0.00

    @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts…

  • CVE-2026-49940MedJun 4, 2026
    risk 0.35cvss 6.5epss 0.00

    Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.

  • CVE-2026-48710MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.01

    Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host`…

  • CVE-2026-45191MedMay 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190.

  • CVE-2026-45190MedMay 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different…

  • CVE-2026-22569MedMar 31, 2026
    risk 0.35cvss 5.4epss 0.00

    An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows may cause a limited amount of traffic from being inspected under rare circumstances.

  • CVE-2026-34080MedApr 7, 2026
    risk 0.29cvss 5.5epss 0.00

    xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and…

  • CVE-2026-47674MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization.…

  • CVE-2026-27610Feb 25, 2026
    risk 0.00cvss epss 0.00

    Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing…

  • CVE-2024-12224May 30, 2025
    risk 0.00cvss epss 0.00

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2024-8372Sep 9, 2024
    risk 0.00cvss epss 0.01

    Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS…