VYPR

CWE-183

Permissive List of Allowed Inputs

BaseDraft

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-120 · CAPEC-3 · CAPEC-43 · CAPEC-71

CVEs mapped to this weakness (29)

page 1 of 2
  • CVE-2026-46391HigJun 5, 2026
    risk 0.57cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker…

  • CVE-2026-29514HigMay 4, 2026
    risk 0.50cvss 8.8epss 0.01

    NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python…

  • CVE-2026-33979HigMar 27, 2026
    risk 0.46cvss 8.2epss 0.00

    Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive…

  • CVE-2025-24349HigApr 30, 2025
    risk 0.46cvss 7.1epss 0.00

    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request.

  • CVE-2025-52903HigJun 26, 2025
    risk 0.45cvss 8.0epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell…

  • CVE-2026-41387HigApr 28, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package…

  • CVE-2026-21915MedApr 9, 2026
    risk 0.44cvss 6.7epss 0.02

    A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root. The CLI menu accepts input without carefully validating it,…

  • CVE-2026-2303MedFeb 10, 2026
    risk 0.42cvss 6.5epss 0.00

    The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI…

  • CVE-2026-2302MedFeb 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.

  • CVE-2026-42043HigApr 24, 2026
    risk 0.40cvss 7.2epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This…

  • CVE-2026-46608higJun 22, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than…

  • CVE-2026-43574MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this…

  • CVE-2026-40899MedApr 16, 2026
    risk 0.35cvss 6.5epss 0.00

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter…

  • CVE-2026-35649MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing…

  • CVE-2026-4509MedMar 21, 2026
    risk 0.34cvss 6.3epss 0.00

    A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The…

  • CVE-2026-41240MedApr 23, 2026
    risk 0.33cvss 6.1epss 0.00

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The…

  • CVE-2026-42042MedApr 24, 2026
    risk 0.28cvss 5.4epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is…

  • CVE-2026-44111MedMay 6, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary…

  • CVE-2026-11525lowJun 17, 2026
    risk 0.17cvss 3.7epss 0.00

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-54316Jun 17, 2026
    risk 0.00cvss epss 0.00

    Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker…