CWE-472
External Control of Assumed-Immutable Web Parameter
BaseDraft
Description
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-146 · CAPEC-226 · CAPEC-31 · CAPEC-39
CVEs mapped to this weakness (51)
page 3 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-8567 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium) | |
| CVE-2026-8559 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | |
| CVE-2026-7969 | Med | 0.28 | 4.3 | 0.00 | May 6, 2026 | Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | |
| CVE-2026-7942 | Med | 0.28 | 4.3 | 0.00 | May 6, 2026 | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |
| CVE-2026-7340 | Med | 0.28 | 4.3 | 0.00 | Apr 28, 2026 | Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | |
| CVE-2025-54551 | Med | 0.28 | 4.3 | 0.00 | Aug 20, 2025 | Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the parameters of the search function. | |
| CVE-2025-43002 | Med | 0.28 | 4.3 | 0.00 | May 13, 2025 | SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted. | |
| CVE-2025-31327 | Med | 0.28 | 4.3 | 0.00 | Apr 22, 2025 | SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not impacted. | |
| CVE-2025-31333 | Med | 0.28 | 4.3 | 0.00 | Apr 8, 2025 | SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability is not impacted. | |
| CVE-2026-7912 | Med | 0.27 | 4.2 | 0.00 | May 6, 2026 | Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | |
| CVE-2025-32816 | Low | 0.13 | 3.1 | 0.00 | Apr 11, 2025 | CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity. |