CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 7 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-22563 | Cri | 0.64 | 9.8 | 0.01 | Apr 13, 2026 | A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) … | ||
| CVE-2026-33816 | Cri | 0.64 | 9.8 | 0.01 | Apr 7, 2026 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | ||
| CVE-2026-20093 | Cri | 0.64 | 9.8 | 0.01 | Apr 1, 2026 | A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of… | ||
| CVE-2026-1668 | Cri | 0.64 | 9.8 | 0.01 | Mar 13, 2026 | The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.An… | ||
| CVE-2026-2590 | Cri | 0.64 | 9.8 | 0.00 | Mar 3, 2026 | Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information… | ||
| CVE-2025-67484 | Cri | 0.64 | 9.8 | 0.00 | Feb 3, 2026 | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | ||
| CVE-2025-8769 | Cri | 0.64 | 9.8 | 0.01 | Dec 24, 2025 | Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server. | ||
| CVE-2025-68667 | Cri | 0.64 | — | 0.01 | Dec 23, 2025 | Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to… | ||
| CVE-2025-14156 | Cri | 0.64 | 9.8 | 0.06 | Dec 15, 2025 | The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the… | ||
| CVE-2025-43347 | Cri | 0.64 | 9.8 | 0.01 | Sep 15, 2025 | This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An input validation issue was addressed. | ||
| CVE-2025-43342 | Cri | 0.64 | 9.8 | 0.01 | Sep 15, 2025 | A correctness issue was addressed with improved checks. This issue is fixed in Safari 26, iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing maliciously crafted web content may lead to an unexpected process crash. | ||
| CVE-2011-10020 | Hig | 0.64 | — | 0.01 | Aug 20, 2025 | Kaillera Server version 0.86 is vulnerable to a denial-of-service condition triggered by sending a malformed UDP packet after the initial handshake. Once a client sends a valid HELLO0.83 packet and receives a response, any subsequent malformed packet causes the server to crash… | ||
| CVE-2025-27212 | Cri | 0.64 | 9.8 | 0.01 | Aug 4, 2025 | An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Affected Products: UniFi Access Reader Pro (Version 2.14.21 and earlier) UniFi Access G2 Reader Pro… | ||
| CVE-2011-10008 | Hig | 0.64 | — | 0.01 | Jul 31, 2025 | A stack-based buffer overflow vulnerability exists in MPlayer Lite r33064 due to improper bounds checking when handling M3U playlist files containing long http:// URL entries. An attacker can craft a malicious .m3u file with a specially formatted URL that triggers a stack… | ||
| CVE-2025-43234 | Cri | 0.64 | 9.8 | 0.01 | Jul 30, 2025 | Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted texture may lead to unexpected app termination. | ||
| CVE-2025-30452 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2025 | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An input validation issue was addressed. | ||
| CVE-2025-24514 | Hig | 0.64 | 8.8 | 0.32 | Mar 25, 2025 | A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and… | ||
| CVE-2024-47857 | Cri | 0.64 | 9.8 | 0.00 | Jan 31, 2025 | SSH Communication Security PrivX versions between 18.0-36.0 implement insufficient validation on public key signatures when using native SSH connections via a proxy port. This allows an existing PrivX "account A" to impersonate another existing PrivX "account B" and gain access… | ||
| CVE-2024-11737 | — | Cri | 0.64 | 9.8 | 0.01 | Dec 11, 2024 | CWE-20: Improper Input Validation vulnerability exists that could lead to a denial of service and a loss of confidentiality, integrity of the controller when an unauthenticated crafted Modbus packet is sent to the device. | |
| CVE-2024-45798 | Cri | 0.64 | 9.9 | 0.01 | Sep 17, 2024 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow… |
- risk 0.64cvss 9.8epss 0.01
A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) …
- risk 0.64cvss 9.8epss 0.01
Memory-safety vulnerability in github.com/jackc/pgx/v5.
- risk 0.64cvss 9.8epss 0.01
A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of…
- risk 0.64cvss 9.8epss 0.01
The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.An…
- risk 0.64cvss 9.8epss 0.00
Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information…
- risk 0.64cvss 9.8epss 0.00
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.
- risk 0.64cvss 9.8epss 0.01
Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server.
- risk 0.64cvss —epss 0.01
Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to…
- risk 0.64cvss 9.8epss 0.06
The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the…
- risk 0.64cvss 9.8epss 0.01
This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An input validation issue was addressed.
- risk 0.64cvss 9.8epss 0.01
A correctness issue was addressed with improved checks. This issue is fixed in Safari 26, iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.
- risk 0.64cvss —epss 0.01
Kaillera Server version 0.86 is vulnerable to a denial-of-service condition triggered by sending a malformed UDP packet after the initial handshake. Once a client sends a valid HELLO0.83 packet and receives a response, any subsequent malformed packet causes the server to crash…
- risk 0.64cvss 9.8epss 0.01
An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Affected Products: UniFi Access Reader Pro (Version 2.14.21 and earlier) UniFi Access G2 Reader Pro…
- risk 0.64cvss —epss 0.01
A stack-based buffer overflow vulnerability exists in MPlayer Lite r33064 due to improper bounds checking when handling M3U playlist files containing long http:// URL entries. An attacker can craft a malicious .m3u file with a specially formatted URL that triggers a stack…
- risk 0.64cvss 9.8epss 0.01
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted texture may lead to unexpected app termination.
- risk 0.64cvss 9.8epss 0.01
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An input validation issue was addressed.
- risk 0.64cvss 8.8epss 0.32
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and…
- risk 0.64cvss 9.8epss 0.00
SSH Communication Security PrivX versions between 18.0-36.0 implement insufficient validation on public key signatures when using native SSH connections via a proxy port. This allows an existing PrivX "account A" to impersonate another existing PrivX "account B" and gain access…
- risk 0.64cvss 9.8epss 0.01
CWE-20: Improper Input Validation vulnerability exists that could lead to a denial of service and a loss of confidentiality, integrity of the controller when an unauthenticated crafted Modbus packet is sent to the device.
- risk 0.64cvss 9.9epss 0.01
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow…