VYPR

CWE-684

Incorrect Provision of Specified Functionality

ClassDraft

Description

The code does not function according to its published specifications, potentially leading to incorrect usage.

When providing functionality to an external party, it is important that the product behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state.

Hierarchy (View 1000)

CVEs mapped to this weakness (14)

  • CVE-2024-50357CriNov 29, 2024
    risk 0.64cvss 9.8epss 0.01

    FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI)…

  • CVE-2025-66384HigNov 28, 2025
    risk 0.53cvss 8.2epss 0.00

    app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.

  • CVE-2025-47227HigJul 5, 2025
    risk 0.49cvss 7.5epss 0.02

    In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via…

  • CVE-2023-5363HigOct 25, 2023
    risk 0.49cvss 7.5epss 0.03

    Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness,…

  • CVE-2026-42255HigApr 26, 2026
    risk 0.47cvss 7.2epss 0.00

    Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation.

  • CVE-2026-40685MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.

  • CVE-2026-34478HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.01

    Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two…

  • CVE-2026-40684MedApr 30, 2026
    risk 0.38cvss 5.9epss 0.00

    In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.

  • CVE-2026-44597LowMay 7, 2026
    risk 0.24cvss 3.7epss 0.00

    Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

  • CVE-2025-54568LowJul 25, 2025
    risk 0.24cvss 3.7epss 0.00

    Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node.

  • CVE-2026-35381LowApr 22, 2026
    risk 0.14cvss 3.3epss 0.00

    A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized…

  • CVE-2026-35379LowApr 22, 2026
    risk 0.14cvss 3.3epss 0.00

    A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class,…

  • CVE-2025-55174LowNov 26, 2025
    risk 0.14cvss 3.2epss 0.00

    In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice::WriteOnly.

  • CVE-2020-11054May 7, 2020
    risk 0.00cvss epss 0.01

    In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently…