CWE-670
Always-Incorrect Control Flow Implementation
Description
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Hierarchy (View 1000)
CVEs mapped to this weakness (68)
page 2 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-0313 | — | Med | 0.36 | 5.5 | 0.00 | Mar 14, 2024 | A malicious insider exploiting this vulnerability can circumvent existing security controls put in place by the organization. On the contrary, if the victim is legitimately using the temporary bypass to reach out to the Internet for retrieving application and system updates, a… | |
| CVE-2026-12321 | Med | 0.35 | 5.4 | 0.00 | Jun 16, 2026 | JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | ||
| CVE-2026-41300 | Med | 0.35 | 6.5 | 0.00 | Apr 21, 2026 | OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual… | ||
| CVE-2026-40942 | Med | 0.34 | — | 0.00 | Apr 21, 2026 | The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return… | ||
| CVE-2026-6608 | Med | 0.34 | 5.3 | 0.00 | Apr 20, 2026 | A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used.… | ||
| CVE-2024-35312 | Med | 0.33 | 6.2 | 0.00 | May 17, 2024 | In Tor Arti before 1.2.3, STUB circuits incorrectly have a length of 2 (with lite vanguards), aka TROVE-2024-003. | ||
| CVE-2024-35195 | Med | 0.29 | 5.6 | 0.00 | May 20, 2024 | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes… | ||
| CVE-2026-35414 | Med | 0.27 | 4.2 | 0.00 | Apr 2, 2026 | OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. | ||
| CVE-2026-40396 | Med | 0.26 | 4.0 | 0.00 | Apr 12, 2026 | Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session… | ||
| CVE-2026-40394 | Med | 0.26 | 4.0 | 0.00 | Apr 12, 2026 | Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the… | ||
| CVE-2024-45298 | Med | 0.21 | 4.3 | 0.00 | Sep 18, 2024 | Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only… | ||
| CVE-2026-35387 | Low | 0.20 | 3.1 | 0.00 | Apr 2, 2026 | OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. | ||
| CVE-2026-41988 | Low | 0.14 | 3.2 | 0.00 | Apr 23, 2026 | uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue. | ||
| CVE-2026-35343 | Low | 0.14 | 3.3 | 0.00 | Apr 22, 2026 | The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print… | ||
| CVE-2026-44928 | Low | 0.12 | 2.9 | 0.00 | May 8, 2026 | In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. | ||
| CVE-2026-33011 | 0.00 | — | 0.00 | Mar 20, 2026 | Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers… | |||
| CVE-2026-26267 | 0.00 | — | 0.00 | Feb 19, 2026 | soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing… | |||
| CVE-2025-32996 | 0.00 | — | 0.00 | Apr 15, 2025 | In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used. | |||
| CVE-2025-2886 | — | 0.00 | — | 0.00 | Mar 27, 2025 | Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should… | ||
| CVE-2025-21607 | 0.00 | — | 0.01 | Jan 14, 2025 | Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but… |
- risk 0.36cvss 5.5epss 0.00
A malicious insider exploiting this vulnerability can circumvent existing security controls put in place by the organization. On the contrary, if the victim is legitimately using the temporary bypass to reach out to the Internet for retrieving application and system updates, a…
- risk 0.35cvss 5.4epss 0.00
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
- risk 0.35cvss 6.5epss 0.00
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual…
- risk 0.34cvss —epss 0.00
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return…
- risk 0.34cvss 5.3epss 0.00
A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used.…
- risk 0.33cvss 6.2epss 0.00
In Tor Arti before 1.2.3, STUB circuits incorrectly have a length of 2 (with lite vanguards), aka TROVE-2024-003.
- risk 0.29cvss 5.6epss 0.00
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes…
- risk 0.27cvss 4.2epss 0.00
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
- risk 0.26cvss 4.0epss 0.00
Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session…
- risk 0.26cvss 4.0epss 0.00
Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the…
- risk 0.21cvss 4.3epss 0.00
Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only…
- risk 0.20cvss 3.1epss 0.00
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
- risk 0.14cvss 3.2epss 0.00
uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.
- risk 0.14cvss 3.3epss 0.00
The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print…
- risk 0.12cvss 2.9epss 0.00
In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
- CVE-2026-33011Mar 20, 2026risk 0.00cvss —epss 0.00
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers…
- CVE-2026-26267Feb 19, 2026risk 0.00cvss —epss 0.00
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing…
- CVE-2025-32996Apr 15, 2025risk 0.00cvss —epss 0.00
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
- CVE-2025-2886Mar 27, 2025risk 0.00cvss —epss 0.00
Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should…
- CVE-2025-21607Jan 14, 2025risk 0.00cvss —epss 0.01
Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but…