VYPR

CWE-183

Permissive List of Allowed Inputs

BaseDraft

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-120 · CAPEC-3 · CAPEC-43 · CAPEC-71

CVEs mapped to this weakness (29)

page 2 of 2
  • CVE-2026-3490Jun 17, 2026
    risk 0.00cvss epss 0.01

    picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call…

  • CVE-2026-46341May 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary The `fetch-apify-docs` tool validates URLs against a domain allowlist using `String.startsWith()` instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains (e.g., `https://docs.apify.com.evil.com/`), enabling the tool to fetch…

  • CVE-2026-33769Mar 24, 2026
    risk 0.00cvss epss 0.00

    Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a…

  • CVE-2026-32881Mar 20, 2026
    risk 0.00cvss epss 0.00

    ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the…

  • CVE-2025-68949Jan 13, 2026
    risk 0.00cvss epss 0.00

    n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely…

  • CVE-2020-1694Sep 16, 2020
    risk 0.00cvss epss 0.02

    A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

  • CVE-2019-10458Oct 16, 2019
    risk 0.00cvss epss 0.02

    Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

  • CVE-2019-10417Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

  • CVE-2019-10328May 31, 2019
    risk 0.00cvss epss 0.02

    Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.