VYPR

CWE-184

Incomplete List of Disallowed Inputs

BaseDraft

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-120 · CAPEC-15 · CAPEC-182 · CAPEC-3 · CAPEC-43 · CAPEC-6 · CAPEC-71 · CAPEC-73 · CAPEC-85

CVEs mapped to this weakness (119)

page 6 of 6
  • CVE-2025-67748Dec 16, 2025
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in…

  • CVE-2025-67747Dec 16, 2025
    risk 0.00cvss epss 0.00

    Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle…

  • CVE-2025-67716Dec 11, 2025
    risk 0.00cvss epss 0.00

    The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0…

  • CVE-2025-61924Oct 16, 2025
    risk 0.00cvss epss 0.00

    PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1…

  • CVE-2025-46417Apr 24, 2025
    risk 0.00cvss epss 0.00

    The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

  • CVE-2025-1716Feb 26, 2025
    risk 0.00cvss epss 0.01

    picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model,…

  • CVE-2024-54149Dec 9, 2024
    risk 0.00cvss epss 0.00

    Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and…

  • CVE-2024-52595Nov 19, 2024
    risk 0.00cvss epss 0.00

    lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as ``, `` and ``. This behavior deviates from…

  • CVE-2024-51745Nov 5, 2024
    risk 0.00cvss epss 0.01

    Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use…

  • CVE-2024-32152Jul 22, 2024
    risk 0.00cvss epss 0.11

    A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.

  • CVE-2024-28246Mar 25, 2024
    risk 0.00cvss epss 0.00

    KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's `trust` option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In…

  • CVE-2023-45133Oct 12, 2023
    risk 0.00cvss epss 0.01

    Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when…

  • CVE-2023-40037Aug 18, 2023
    risk 0.00cvss epss 0.02

    Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL…

  • CVE-2023-29003Apr 4, 2023
    risk 0.00cvss epss 0.01

    SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request…

  • CVE-2022-43396Dec 30, 2022
    risk 0.00cvss epss 0.57

    In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

  • CVE-2022-23536Dec 19, 2022
    risk 0.00cvss epss 0.01

    Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager…

  • CVE-2021-21697Nov 4, 2021
    risk 0.00cvss epss 0.02

    Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

  • CVE-2021-25737Sep 6, 2021
    risk 0.00cvss epss 0.01

    A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

  • CVE-2019-9212Feb 27, 2019
    risk 0.00cvss epss 0.03

    SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor…