VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 7 of 401
  • CVE-2026-22563CriApr 13, 2026
    risk 0.64cvss 9.8epss 0.01

    A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 …

  • CVE-2026-33816CriApr 7, 2026
    risk 0.64cvss 9.8epss 0.01

    Memory-safety vulnerability in github.com/jackc/pgx/v5.

  • CVE-2026-20093CriApr 1, 2026
    risk 0.64cvss 9.8epss 0.01

    A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of…

  • CVE-2026-1668CriMar 13, 2026
    risk 0.64cvss 9.8epss 0.01

    The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.An…

  • CVE-2026-2590CriMar 3, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information…

  • CVE-2025-67484CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.00

    Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1.

  • CVE-2025-8769CriDec 24, 2025
    risk 0.64cvss 9.8epss 0.01

    Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server.

  • CVE-2025-68667CriDec 23, 2025
    risk 0.64cvss epss 0.01

    Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to…

  • CVE-2025-14156CriDec 15, 2025
    risk 0.64cvss 9.8epss 0.06

    The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the…

  • CVE-2025-43347CriSep 15, 2025
    risk 0.64cvss 9.8epss 0.01

    This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. An input validation issue was addressed.

  • CVE-2025-43342CriSep 15, 2025
    risk 0.64cvss 9.8epss 0.01

    A correctness issue was addressed with improved checks. This issue is fixed in Safari 26, iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. Processing maliciously crafted web content may lead to an unexpected process crash.

  • CVE-2011-10020HigAug 20, 2025
    risk 0.64cvss epss 0.01

    Kaillera Server version 0.86 is vulnerable to a denial-of-service condition triggered by sending a malformed UDP packet after the initial handshake. Once a client sends a valid HELLO0.83 packet and receives a response, any subsequent malformed packet causes the server to crash…

  • CVE-2025-27212CriAug 4, 2025
    risk 0.64cvss 9.8epss 0.01

    An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Affected Products: UniFi Access Reader Pro (Version 2.14.21 and earlier) UniFi Access G2 Reader Pro…

  • CVE-2011-10008HigJul 31, 2025
    risk 0.64cvss epss 0.01

    A stack-based buffer overflow vulnerability exists in MPlayer Lite r33064 due to improper bounds checking when handling M3U playlist files containing long http:// URL entries. An attacker can craft a malicious .m3u file with a specially formatted URL that triggers a stack…

  • CVE-2025-43234CriJul 30, 2025
    risk 0.64cvss 9.8epss 0.01

    Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing a maliciously crafted texture may lead to unexpected app termination.

  • CVE-2025-30452CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An input validation issue was addressed.

  • CVE-2025-24514HigMar 25, 2025
    risk 0.64cvss 8.8epss 0.32

    A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and…

  • CVE-2024-47857CriJan 31, 2025
    risk 0.64cvss 9.8epss 0.00

    SSH Communication Security PrivX versions between 18.0-36.0 implement insufficient validation on public key signatures when using native SSH connections via a proxy port. This allows an existing PrivX "account A" to impersonate another existing PrivX "account B" and gain access…

  • CVE-2024-11737CriDec 11, 2024
    risk 0.64cvss 9.8epss 0.01

    CWE-20: Improper Input Validation vulnerability exists that could lead to a denial of service and a loss of confidentiality, integrity of the controller when an unauthenticated crafted Modbus packet is sent to the device.

  • CVE-2024-45798CriSep 17, 2024
    risk 0.64cvss 9.9epss 0.01

    arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow…