VYPR

CWE-472

External Control of Assumed-Immutable Web Parameter

BaseDraft

Description

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-146 · CAPEC-226 · CAPEC-31 · CAPEC-39

CVEs mapped to this weakness (88)

page 4 of 5
  • CVE-2026-11678MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-11669MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Out of bounds read in Media in Google Chrome on ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-4911MedApr 28, 2026
    risk 0.34cvss 5.3epss 0.00

    The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the…

  • CVE-2025-26312MedMar 14, 2025
    risk 0.34cvss epss 0.00

    SendQuick Entera devices before 11HF5 are vulnerable to CAPTCHA bypass by removing the Captcha parameter.

  • CVE-2024-12123MedDec 4, 2024
    risk 0.34cvss epss 0.00

    A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user.  When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.  The ticket requester…

  • CVE-2026-11290MedJun 5, 2026
    risk 0.33cvss 5.0epss 0.00

    Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low)

  • CVE-2026-11281MedJun 5, 2026
    risk 0.33cvss 5.0epss 0.00

    Integer overflow in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted ETW event. (Chromium security severity: Low)

  • CVE-2026-9911MedMay 28, 2026
    risk 0.28cvss 4.3epss 0.00

    Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-8567MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-8559MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-7969MedMay 6, 2026
    risk 0.28cvss 4.3epss 0.00

    Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-7942MedMay 6, 2026
    risk 0.28cvss 4.3epss 0.00

    Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-7340MedApr 28, 2026
    risk 0.28cvss 4.3epss 0.00

    Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2025-54551MedAug 20, 2025
    risk 0.28cvss 4.3epss 0.00

    Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the…

  • CVE-2025-43002MedMay 13, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.

  • CVE-2025-31327MedApr 22, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not…

  • CVE-2025-31333MedApr 8, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability is not impacted.

  • CVE-2026-7912MedMay 6, 2026
    risk 0.27cvss 4.2epss 0.00

    Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-32699MedMay 5, 2026
    risk 0.27cvss epss 0.00

    FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass…

  • CVE-2026-2519MedApr 9, 2026
    risk 0.27cvss 5.3epss 0.00

    The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation…