CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 131 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-59537 | Hig | 0.42 | 7.5 | 0.01 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to… | ||
| CVE-2025-57810 | Hig | 0.42 | 7.5 | 0.01 | Aug 26, 2025 | jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can… | ||
| CVE-2025-7507 | Med | 0.42 | 6.4 | 0.00 | Aug 15, 2025 | The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers,… | ||
| CVE-2025-25005 | Med | 0.42 | 6.5 | 0.01 | Aug 12, 2025 | Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network. | ||
| CVE-2025-54365 | Hig | 0.42 | 7.5 | 0.01 | Jul 23, 2025 | fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch… | ||
| CVE-2025-53502 | Med | 0.42 | 6.5 | 0.00 | Jul 3, 2025 | Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X. | ||
| CVE-2023-28911 | Med | 0.42 | 6.5 | 0.00 | Jun 28, 2025 | A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary channel disconnection. An attacker can leverage this vulnerability to cause a… | ||
| CVE-2025-52894 | Hig | 0.42 | 7.5 | 0.00 | Jun 25, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations,… | ||
| CVE-2025-3898 | — | Med | 0.42 | 6.5 | 0.00 | Jun 10, 2025 | CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends HTTPS request containing invalid data type to the webserver. | |
| CVE-2025-3116 | Med | 0.42 | 6.5 | 0.00 | Jun 10, 2025 | CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends special malformed HTTPS request containing improper formatted body data to the controller. | ||
| CVE-2025-20031 | Med | 0.42 | 6.5 | 0.00 | May 13, 2025 | Improper input validation for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access. | ||
| CVE-2025-40556 | Med | 0.42 | 6.5 | 0.00 | May 13, 2025 | A vulnerability has been identified in BACnet ATEC 550-440 (All versions), BACnet ATEC 550-441 (All versions), BACnet ATEC 550-445 (All versions), BACnet ATEC 550-446 (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an… | ||
| CVE-2025-24510 | Med | 0.42 | 6.5 | 0.00 | May 13, 2025 | A vulnerability has been identified in MS/TP Point Pickup Module (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an attacker residing in the same BACnet network to send a specially crafted MSTP message that results in a… | ||
| CVE-2025-31217 | Med | 0.42 | 6.5 | 0.01 | May 12, 2025 | The issue was addressed with improved input validation. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash. | ||
| CVE-2025-31215 | Med | 0.42 | 6.5 | 0.01 | May 12, 2025 | The issue was addressed with improved checks. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected process crash. | ||
| CVE-2025-29448 | — | Hig | 0.42 | 7.5 | 0.00 | May 7, 2025 | Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability. | |
| CVE-2025-32079 | Med | 0.42 | 6.5 | 0.00 | Apr 11, 2025 | Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43. | ||
| CVE-2025-30151 | Hig | 0.42 | 7.5 | 0.00 | Apr 8, 2025 | Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also… | ||
| CVE-2025-1767 | Med | 0.42 | 6.5 | 0.01 | Mar 13, 2025 | This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using… | ||
| CVE-2025-0816 | Med | 0.42 | 6.5 | 0.00 | Feb 13, 2025 | CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the product when malicious IPV6 packets are sent to the device. |
- risk 0.42cvss 7.5epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to…
- risk 0.42cvss 7.5epss 0.01
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can…
- risk 0.42cvss 6.4epss 0.00
The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers,…
- risk 0.42cvss 6.5epss 0.01
Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network.
- risk 0.42cvss 7.5epss 0.01
fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch…
- risk 0.42cvss 6.5epss 0.00
Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X.
- risk 0.42cvss 6.5epss 0.00
A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary channel disconnection. An attacker can leverage this vulnerability to cause a…
- risk 0.42cvss 7.5epss 0.00
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations,…
- risk 0.42cvss 6.5epss 0.00
CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends HTTPS request containing invalid data type to the webserver.
- risk 0.42cvss 6.5epss 0.00
CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends special malformed HTTPS request containing improper formatted body data to the controller.
- risk 0.42cvss 6.5epss 0.00
Improper input validation for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access.
- risk 0.42cvss 6.5epss 0.00
A vulnerability has been identified in BACnet ATEC 550-440 (All versions), BACnet ATEC 550-441 (All versions), BACnet ATEC 550-445 (All versions), BACnet ATEC 550-446 (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an…
- risk 0.42cvss 6.5epss 0.00
A vulnerability has been identified in MS/TP Point Pickup Module (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an attacker residing in the same BACnet network to send a specially crafted MSTP message that results in a…
- risk 0.42cvss 6.5epss 0.01
The issue was addressed with improved input validation. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
- risk 0.42cvss 6.5epss 0.01
The issue was addressed with improved checks. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected process crash.
- risk 0.42cvss 7.5epss 0.00
Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
- risk 0.42cvss 6.5epss 0.00
Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43.
- risk 0.42cvss 7.5epss 0.00
Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also…
- risk 0.42cvss 6.5epss 0.01
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using…
- risk 0.42cvss 6.5epss 0.00
CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the product when malicious IPV6 packets are sent to the device.