CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 113 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-8605 | Med | 0.48 | 6.5 | 0.76 | Jan 14, 2016 | ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet. | ||
| CVE-2015-8607 | Hig | 0.48 | 7.3 | 0.03 | Jan 13, 2016 | The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. | ||
| CVE-2015-8466 | Hig | 0.48 | 7.4 | 0.02 | Jan 13, 2016 | Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header. | ||
| CVE-2015-8331 | Hig | 0.48 | 7.4 | 0.01 | Jan 11, 2016 | The Operation and Maintenance Unit (OMU) in Huawei VCN500 with software before V100R002C00SPC200 does not properly invalidate the session ID when an "abnormal exit" occurs, which allows remote attackers to conduct replay attacks via the session ID. | ||
| CVE-2015-6934 | Hig | 0.48 | 7.3 | 0.05 | Dec 21, 2015 | Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java… | ||
| CVE-2012-5817 | Hig | 0.48 | 7.4 | 0.01 | Nov 4, 2012 | Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows… | ||
| CVE-2026-11460 | Hig | 0.47 | 7.3 | 0.00 | Jun 7, 2026 | A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The… | ||
| CVE-2026-11035 | Hig | 0.47 | 7.3 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium) | ||
| CVE-2026-5509 | Hig | 0.47 | 7.2 | 0.02 | May 27, 2026 | An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can… | ||
| CVE-2026-8759 | Hig | 0.47 | 7.3 | 0.00 | May 17, 2026 | A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper… | ||
| CVE-2026-8751 | Hig | 0.47 | 7.3 | 0.00 | May 17, 2026 | A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried… | ||
| CVE-2026-35433 | Hig | 0.47 | 7.3 | 0.01 | May 12, 2026 | Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally. | ||
| CVE-2026-32177 | — | Hig | 0.47 | 7.3 | 0.01 | May 12, 2026 | Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally. | |
| CVE-2026-40871 | Hig | 0.47 | 7.2 | 0.10 | Apr 21, 2026 | mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without… | ||
| CVE-2026-24505 | Hig | 0.47 | 7.2 | 0.00 | Apr 20, 2026 | Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | ||
| CVE-2026-24504 | Hig | 0.47 | 7.2 | 0.00 | Apr 20, 2026 | Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially… | ||
| CVE-2026-21733 | Hig | 0.47 | 7.3 | 0.00 | Apr 17, 2026 | Vulnerability in Imagination Technologies Graphics DDK on Linux, Android -- RESERVED | ||
| CVE-2026-6328 | Hig | 0.47 | — | 0.00 | Apr 15, 2026 | Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through… | ||
| CVE-2026-32149 | Hig | 0.47 | 7.3 | 0.00 | Apr 14, 2026 | Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. | ||
| CVE-2026-5536 | Hig | 0.47 | 7.3 | 0.00 | Apr 5, 2026 | A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted… |
- risk 0.48cvss 6.5epss 0.76
ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.
- risk 0.48cvss 7.3epss 0.03
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
- risk 0.48cvss 7.4epss 0.02
Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.
- risk 0.48cvss 7.4epss 0.01
The Operation and Maintenance Unit (OMU) in Huawei VCN500 with software before V100R002C00SPC200 does not properly invalidate the session ID when an "abnormal exit" occurs, which allows remote attackers to conduct replay attacks via the session ID.
- risk 0.48cvss 7.3epss 0.05
Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java…
- risk 0.48cvss 7.4epss 0.01
Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows…
- risk 0.47cvss 7.3epss 0.00
A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The…
- risk 0.47cvss 7.3epss 0.00
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium)
- risk 0.47cvss 7.2epss 0.02
An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper…
- risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried…
- risk 0.47cvss 7.3epss 0.01
Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
- risk 0.47cvss 7.3epss 0.01
Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
- risk 0.47cvss 7.2epss 0.10
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without…
- risk 0.47cvss 7.2epss 0.00
Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
- risk 0.47cvss 7.2epss 0.00
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially…
- risk 0.47cvss 7.3epss 0.00
Vulnerability in Imagination Technologies Graphics DDK on Linux, Android -- RESERVED
- risk 0.47cvss —epss 0.00
Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through…
- risk 0.47cvss 7.3epss 0.00
Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.
- risk 0.47cvss 7.3epss 0.00
A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted…