VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 117 of 401
  • CVE-2026-22598HigJan 21, 2026
    risk 0.46cvss epss 0.00

    ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One…

  • CVE-2025-11676HigNov 20, 2025
    risk 0.46cvss epss 0.00

    Improper input validation vulnerability in TP-Link System Inc. TL-WR940N V6 (UPnP modules), which allows unauthenticated adjacent attackers to perform DoS attack. This issue affects TL-WR940N V6 <= Build 220801.

  • CVE-2025-61084HigNov 5, 2025
    risk 0.46cvss 7.1epss 0.00

    MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation,…

  • CVE-2025-59250HigOct 14, 2025
    risk 0.46cvss 8.1epss 0.01

    Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-34226HigOct 3, 2025
    risk 0.46cvss epss 0.01

    OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime…

  • CVE-2025-7674HigAug 5, 2025
    risk 0.46cvss epss 0.00

    Improper Input Validation vulnerability in Roche Diagnostics navify Monitoring allows an attacker to manipulate input data, which may lead to a denial of service (DoS) due to negatively impacting the server's performance. This vulnerability has no impact on data confidentiality…

  • CVE-2025-40846HigMay 8, 2025
    risk 0.46cvss epss 0.00

    Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack. The vulnerability…

  • CVE-2025-31132HigApr 1, 2025
    risk 0.46cvss 8.1epss 0.01

    Raven is an open-source messaging platform. A vulnerability allowed any logged in user to execute code via an API endpoint. This vulnerability is fixed in 2.1.10.

  • CVE-2024-12216HigMar 20, 2025
    risk 0.46cvss 7.1epss 0.00

    A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip…

  • CVE-2025-1022HigFeb 5, 2025
    risk 0.46cvss 8.2epss 0.00

    Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing…

  • CVE-2020-12487HigDec 17, 2024
    risk 0.46cvss 7.0epss 0.00

    Due to the flaws in the verification of input parameters, the attacker can input carefully constructed commands to make the ABE service execute some commands with root privilege.

  • CVE-2024-9875HigNov 21, 2024
    risk 0.46cvss 7.1epss 0.00

    Okta Privileged Access server agent (SFTD) versions 1.82.0 to 1.84.0 are affected by a privilege escalation vulnerability when the sudo command bundles feature is enabled. To remediate this vulnerability, upgrade the Okta Privileged Access server agent (SFTD) to version 1.87.1…

  • CVE-2024-50340HigNov 6, 2024
    risk 0.46cvss 7.3epss 0.63

    symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the…

  • CVE-2024-48918HigOct 16, 2024
    risk 0.46cvss epss 0.00

    RDS Light is a simplified version of the Reflective Dialogue System (RDS), a self-reflecting AI framework. Versions prior to 1.1.0 contain a vulnerability that involves a lack of input validation within the RDS AI framework, specifically within the user input handling code in…

  • CVE-2024-30188HigAug 12, 2024
    risk 0.46cvss 8.1epss 0.06

    File read and write vulnerability in Apache DolphinScheduler ,  authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler: from 3.1.0 before 3.2.2. Users are recommended to upgrade to version 3.2.2, which fixes the issue.

  • CVE-2024-40642HigJul 18, 2024
    risk 0.46cvss 8.1epss 0.01

    The netty incubator codec.bhttp is a java language binary http parser. In affected versions the `BinaryHttpParser` class does not properly validate input values thus giving attackers almost complete control over the HTTP requests constructed from the parsed output. Attackers can…

  • CVE-2024-22271HigJul 9, 2024
    risk 0.46cvss 8.2epss 0.00

    In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions. Specifically, an application is vulnerable when all of the following are true: …

  • CVE-2024-4888HigJun 6, 2024
    risk 0.46cvss 8.1epss 0.01

    BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server,…

  • CVE-2024-25743HigMay 15, 2024
    risk 0.46cvss 7.1epss 0.00

    In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.

  • CVE-2024-27918HigMar 21, 2024
    risk 0.46cvss 8.2epss 0.01

    Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account…