VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 57 of 401
  • CVE-2026-33826HigApr 14, 2026
    risk 0.52cvss 8.0epss 0.01

    Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.

  • CVE-2026-34178CriApr 9, 2026
    risk 0.52cvss 9.1epss 0.00

    In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project…

  • CVE-2026-34950CriApr 6, 2026
    risk 0.52cvss 9.1epss 0.00

    fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that…

  • CVE-2026-2880CriFeb 27, 2026
    risk 0.52cvss 9.1epss 0.00

    A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes,…

  • CVE-2026-0878HigJan 13, 2026
    risk 0.52cvss 8.0epss 0.00

    Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-62725HigOct 27, 2025
    risk 0.52cvss epss 0.14

    Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile…

  • CVE-2025-6547CriJun 23, 2025
    risk 0.52cvss epss 0.00

    Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

  • CVE-2025-6545CriJun 23, 2025
    risk 0.52cvss epss 0.00

    Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

  • CVE-2024-11042CriMar 20, 2025
    risk 0.52cvss 9.1epss 0.01

    In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH…

  • CVE-2024-3829CriJun 3, 2024
    risk 0.52cvss 9.1epss 0.01

    qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a…

  • CVE-2024-25290HigMay 2, 2024
    risk 0.52cvss 8.0epss 0.01

    An issue in Casa Systems NL1901ACV R6B032 allows a remote attacker to execute arbitrary code via the userName parameter of the add function.

  • CVE-2024-29027CriMar 19, 2024
    risk 0.52cvss 9.0epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal…

  • CVE-2022-46365CriMay 1, 2023
    risk 0.52cvss 9.1epss 0.01

    Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow…

  • CVE-2022-35924CriAug 2, 2022
    risk 0.52cvss 9.1epss 0.01

    NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of…

  • CVE-2022-1053CriMay 6, 2022
    risk 0.52cvss 9.1epss 0.01

    Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and…

  • CVE-2021-41945CriApr 28, 2022
    risk 0.52cvss 9.1epss 0.02

    Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.

  • CVE-2021-30492criApr 29, 2021
    risk 0.52cvss epss 0.00

    ### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken

  • CVE-2020-15206CriSep 25, 2020
    risk 0.52cvss 9.0epss 0.01

    In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products…

  • CVE-2019-17426CriOct 10, 2019
    risk 0.52cvss 9.1epss 0.02

    Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's…

  • CVE-2018-8265HigOct 10, 2018
    risk 0.52cvss 7.8epss 0.20

    A remote code execution vulnerability exists in the way Microsoft Exchange software parses specially crafted email messages, aka "Microsoft Exchange Remote Code Execution Vulnerability." This affects Microsoft Exchange Server.