VYPR

CWE-180

Incorrect Behavior Order: Validate Before Canonicalize

VariantDraft

Description

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-267 · CAPEC-3 · CAPEC-71 · CAPEC-78 · CAPEC-79 · CAPEC-80

CVEs mapped to this weakness (12)

  • CVE-2026-44180criJun 3, 2026
    risk 0.52cvss epss 0.00

    ### Summary Jupyter Enterprise Gateway has a prohibited UID and GID feature that by default prevents launching kernels with UID or GID 0 (root). This can be bypassed. It is possible to launch kernels with a prohibited UID and/or GID by using a specially crafted `KERNEL_UID` or…

  • CVE-2026-45022HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded…

  • CVE-2026-39364HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.02

    Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or…

  • CVE-2025-29787HigMar 17, 2025
    risk 0.40cvss epss 0.01

    `zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used…

  • CVE-2026-42462HigJun 10, 2026
    risk 0.39cvss 7.0epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it…

  • CVE-2025-43716MedApr 23, 2025
    risk 0.38cvss 5.8epss 0.01

    A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. By appending %3F.php to the URI of the /client/index.php endpoint, an attacker can bypass access controls and gain unauthorized access to various endpoints such as…

  • CVE-2026-34475MedMar 27, 2026
    risk 0.35cvss 5.4epss 0.00

    Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.

  • CVE-2026-39409MedApr 8, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js…

  • CVE-2026-34786MedApr 2, 2026
    risk 0.27cvss 5.3epss 0.00

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a…

  • CVE-2024-28607LowMar 11, 2025
    risk 0.19cvss 2.9epss 0.00

    The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value.

  • CVE-2026-32033Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read…

  • CVE-2026-24895Feb 12, 2026
    risk 0.00cvss epss 0.01

    FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies…