CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 34 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-22559 | Hig | 0.57 | 8.8 | 0.00 | Mar 24, 2026 | An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link. Affected Products: UniFi Network Server (Version 10.1.85 and earlier) … | ||
| CVE-2026-3288 | Hig | 0.57 | 8.8 | 0.07 | Mar 9, 2026 | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of… | ||
| CVE-2026-26063 | — | Hig | 0.57 | — | 0.00 | Feb 19, 2026 | CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access… | |
| CVE-2025-15566 | Hig | 0.57 | 8.8 | 0.00 | Feb 6, 2026 | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and… | ||
| CVE-2026-24512 | Hig | 0.57 | 8.8 | 0.01 | Feb 3, 2026 | A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the… | ||
| CVE-2026-1580 | Hig | 0.57 | 8.8 | 0.00 | Feb 3, 2026 | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of… | ||
| CVE-2025-0658 | Hig | 0.57 | — | 0.00 | Nov 27, 2025 | A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed. | ||
| CVE-2025-13319 | Hig | 0.57 | 8.8 | 0.00 | Nov 17, 2025 | An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack. | ||
| CVE-2025-9066 | Hig | 0.57 | — | 0.00 | Oct 14, 2025 | A security issue was discovered within FactoryTalk® ViewPoint, allowing unauthenticated attackers to achieve XXE. Certain SOAP requests can be abused to perform XXE, resulting in a temporary denial-of-service. | ||
| CVE-2025-59823 | Cri | 0.57 | 9.9 | 0.00 | Sep 25, 2025 | Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version… | ||
| CVE-2025-24325 | Hig | 0.57 | 8.8 | 0.00 | Aug 12, 2025 | Improper input validation in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||
| CVE-2025-34129 | Hig | 0.57 | — | 0.01 | Jul 16, 2025 | A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface… | ||
| CVE-2025-34047 | Hig | 0.57 | — | 0.00 | Jun 26, 2025 | A path traversal vulnerability exists in the Leadsec SSL VPN (formerly Lenovo NetGuard), allowing unauthenticated attackers to read arbitrary files on the underlying system via the ostype parameter in the /vpn/user/download/client endpoint. This flaw arises from insufficient… | ||
| CVE-2025-0051 | Hig | 0.57 | — | 0.00 | Jun 10, 2025 | Improper input validation performed during the authentication process of FlashArray could lead to a system Denial of Service. | ||
| CVE-2024-51392 | Hig | 0.57 | 8.8 | 0.00 | May 29, 2025 | An issue in OpenKnowledgeMaps Headstart v7 allows a remote attacker to escalate privileges via the url parameter of the getPDF.php component | ||
| CVE-2024-25010 | Hig | 0.57 | 8.8 | 0.00 | May 22, 2025 | Ericsson RAN Compute and Site Controller 6610 contains in certain configurations a high severity vulnerability where improper input validation could be exploited leading to arbitrary code execution. | ||
| CVE-2025-47282 | Cri | 0.57 | 9.9 | 0.01 | May 19, 2025 | Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. A security vulnerability was discovered in Gardener's External DNS Management prior to version 0.23.6 that could allow a user with administrative privileges for a Gardener… | ||
| CVE-2024-12215 | Hig | 0.57 | 8.8 | 0.01 | Mar 20, 2025 | In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to… | ||
| CVE-2024-26290 | Hig | 0.57 | — | 0.00 | Mar 12, 2025 | Improper Input Validation vulnerability in Avid Avid NEXIS E-series on Linux, Avid Avid NEXIS F-series on Linux, Avid Avid NEXIS PRO+ on Linux, Avid System Director Appliance (SDA+) on Linux allows code execution on underlying operating system with root permissions.This issue… | ||
| CVE-2025-22137 | Cri | 0.57 | 9.8 | 0.01 | Jan 8, 2025 | Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP… |
- risk 0.57cvss 8.8epss 0.00
An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link. Affected Products: UniFi Network Server (Version 10.1.85 and earlier) …
- risk 0.57cvss 8.8epss 0.07
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of…
- risk 0.57cvss —epss 0.00
CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access…
- risk 0.57cvss 8.8epss 0.00
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and…
- risk 0.57cvss 8.8epss 0.01
A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the…
- risk 0.57cvss 8.8epss 0.00
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of…
- risk 0.57cvss —epss 0.00
A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed.
- risk 0.57cvss 8.8epss 0.00
An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack.
- risk 0.57cvss —epss 0.00
A security issue was discovered within FactoryTalk® ViewPoint, allowing unauthenticated attackers to achieve XXE. Certain SOAP requests can be abused to perform XXE, resulting in a temporary denial-of-service.
- risk 0.57cvss 9.9epss 0.00
Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version…
- risk 0.57cvss 8.8epss 0.00
Improper input validation in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
- risk 0.57cvss —epss 0.01
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface…
- risk 0.57cvss —epss 0.00
A path traversal vulnerability exists in the Leadsec SSL VPN (formerly Lenovo NetGuard), allowing unauthenticated attackers to read arbitrary files on the underlying system via the ostype parameter in the /vpn/user/download/client endpoint. This flaw arises from insufficient…
- risk 0.57cvss —epss 0.00
Improper input validation performed during the authentication process of FlashArray could lead to a system Denial of Service.
- risk 0.57cvss 8.8epss 0.00
An issue in OpenKnowledgeMaps Headstart v7 allows a remote attacker to escalate privileges via the url parameter of the getPDF.php component
- risk 0.57cvss 8.8epss 0.00
Ericsson RAN Compute and Site Controller 6610 contains in certain configurations a high severity vulnerability where improper input validation could be exploited leading to arbitrary code execution.
- risk 0.57cvss 9.9epss 0.01
Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. A security vulnerability was discovered in Gardener's External DNS Management prior to version 0.23.6 that could allow a user with administrative privileges for a Gardener…
- risk 0.57cvss 8.8epss 0.01
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to…
- risk 0.57cvss —epss 0.00
Improper Input Validation vulnerability in Avid Avid NEXIS E-series on Linux, Avid Avid NEXIS F-series on Linux, Avid Avid NEXIS PRO+ on Linux, Avid System Director Appliance (SDA+) on Linux allows code execution on underlying operating system with root permissions.This issue…
- risk 0.57cvss 9.8epss 0.01
Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP…