CWE-183
Permissive List of Allowed Inputs
Description
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-120 · CAPEC-3 · CAPEC-43 · CAPEC-71
CVEs mapped to this weakness (29)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-3490 | 0.00 | — | 0.01 | Jun 17, 2026 | picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call… | |||
| CVE-2026-46341 | 0.00 | — | 0.00 | May 19, 2026 | ### Summary The `fetch-apify-docs` tool validates URLs against a domain allowlist using `String.startsWith()` instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains (e.g., `https://docs.apify.com.evil.com/`), enabling the tool to fetch… | |||
| CVE-2026-33769 | 0.00 | — | 0.00 | Mar 24, 2026 | Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a… | |||
| CVE-2026-32881 | 0.00 | — | 0.00 | Mar 20, 2026 | ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the… | |||
| CVE-2025-68949 | 0.00 | — | 0.00 | Jan 13, 2026 | n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely… | |||
| CVE-2020-1694 | 0.00 | — | 0.02 | Sep 16, 2020 | A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. | |||
| CVE-2019-10458 | 0.00 | — | 0.02 | Oct 16, 2019 | Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code. | |||
| CVE-2019-10417 | 0.00 | — | 0.01 | Sep 25, 2019 | Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. | |||
| CVE-2019-10328 | 0.00 | — | 0.02 | May 31, 2019 | Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. |
- CVE-2026-3490Jun 17, 2026risk 0.00cvss —epss 0.01
picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call…
- CVE-2026-46341May 19, 2026risk 0.00cvss —epss 0.00
### Summary The `fetch-apify-docs` tool validates URLs against a domain allowlist using `String.startsWith()` instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains (e.g., `https://docs.apify.com.evil.com/`), enabling the tool to fetch…
- CVE-2026-33769Mar 24, 2026risk 0.00cvss —epss 0.00
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a…
- CVE-2026-32881Mar 20, 2026risk 0.00cvss —epss 0.00
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the…
- CVE-2025-68949Jan 13, 2026risk 0.00cvss —epss 0.00
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely…
- CVE-2020-1694Sep 16, 2020risk 0.00cvss —epss 0.02
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
- CVE-2019-10458Oct 16, 2019risk 0.00cvss —epss 0.02
Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
- CVE-2019-10417Sep 25, 2019risk 0.00cvss —epss 0.01
Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.
- CVE-2019-10328May 31, 2019risk 0.00cvss —epss 0.02
Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.