VYPR

CWE-155

Improper Neutralization of Wildcards or Matching Symbols

VariantDraft

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

As data is parsed, an injected element may cause the process to take unexpected actions.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (9)

  • CVE-2025-11757HigOct 21, 2025
    risk 0.57cvss epss 0.00

    The CloudEdge Cloud does not sanitize the MQTT topic input, which could allow an attacker to leverage the MQTT wildcard to receive all the messages that should be delivered to other users by subscribing to the a MQTT topic. In these messages, the attacker can obtain the…

  • CVE-2024-6509MedSep 10, 2024
    risk 0.42cvss 6.5epss 0.00

    Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to…

  • CVE-2024-0054MedMar 19, 2024
    risk 0.42cvss 6.5epss 0.01

    Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the…

  • CVE-2025-0681MedJan 30, 2025
    risk 0.40cvss 6.2epss 0.00

    The Cloud MQTT service of the affected products supports wildcard topic subscription which could allow an attacker to obtain sensitive information from tapping the service communications.

  • CVE-2025-24376MedJan 30, 2025
    risk 0.35cvss 6.5epss 0.00

    kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided…

  • CVE-2026-49482MedJun 12, 2026
    risk 0.28cvss 4.3epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite…

  • CVE-2025-27515Mar 5, 2025
    risk 0.00cvss epss 0.01

    Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

  • CVE-2022-21646Jan 11, 2022
    risk 0.00cvss epss 0.01

    SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as…

  • CVE-2019-3802Jun 3, 2019
    risk 0.00cvss epss 0.01

    This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a…