VYPR

CWE-472

External Control of Assumed-Immutable Web Parameter

BaseDraft

Description

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-146 · CAPEC-226 · CAPEC-31 · CAPEC-39

CVEs mapped to this weakness (88)

page 2 of 5
  • CVE-2026-7973HigMay 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Dawn in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-7903HigMay 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in ANGLE in Google Chrome on Mac,Windows prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-7896HigMay 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

  • CVE-2026-5912HigApr 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-5910HigApr 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)

  • CVE-2026-5909HigApr 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)

  • CVE-2026-5908HigApr 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. (Chromium security severity: Low)

  • CVE-2026-5870HigApr 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-5859HigApr 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

  • CVE-2026-5274HigApr 1, 2026
    risk 0.57cvss 8.8epss 0.00

    Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

  • CVE-2025-14750HigJan 22, 2026
    risk 0.57cvss epss 0.00

    The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.

  • CVE-2025-30236HigMar 19, 2025
    risk 0.56cvss 8.6epss 0.00

    Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 allows authentication through only a six-digit TOTP code (skipping a password check) if an HTTP POST request contains a SESSION parameter.

  • CVE-2026-11655HigJun 9, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-11640HigJun 9, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

  • CVE-2026-10924HigJun 4, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-10921HigJun 4, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-9998HigMay 28, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-9966HigMay 28, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in XML in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-8573HigMay 14, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

  • CVE-2026-8534HigMay 14, 2026
    risk 0.54cvss 8.3epss 0.00

    Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)