VYPR

CWE-187

Partial String Comparison

VariantIncomplete

Description

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (8)

  • CVE-2024-41110CriJul 24, 2024
    risk 0.59cvss 9.9epss 0.17

    Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base…

  • CVE-2026-35031CriApr 14, 2026
    risk 0.57cvss 9.9epss 0.01

    Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling…

  • CVE-2026-34785HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path…

  • CVE-2026-44837MedMay 26, 2026
    risk 0.31cvss 5.9epss 0.00

    view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the…

  • CVE-2025-23384LowMar 11, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2.1), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2.1), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8.2.1), SCALANCE M812-1 ADSL-Router…

  • CVE-2026-55602Jun 18, 2026
    risk 0.00cvss epss 0.00

    # Summary `http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a…

  • CVE-2026-45692May 19, 2026
    risk 0.00cvss epss 0.00

    This report is not about a normal textual prefix-expansion case. The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**. In this case, a path authorized for one config object is accepted, but then…

  • CVE-2025-57808Sep 2, 2025
    risk 0.00cvss epss 0.02

    ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a…