CWE-684
Incorrect Provision of Specified Functionality
Description
The code does not function according to its published specifications, potentially leading to incorrect usage.
Hierarchy (View 1000)
CVEs mapped to this weakness (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-50357 | Cri | 0.64 | 9.8 | 0.01 | Nov 29, 2024 | FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI)… | ||
| CVE-2025-66384 | Hig | 0.53 | 8.2 | 0.00 | Nov 28, 2025 | app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. | ||
| CVE-2025-47227 | Hig | 0.49 | 7.5 | 0.02 | Jul 5, 2025 | In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via… | ||
| CVE-2023-5363 | Hig | 0.49 | 7.5 | 0.03 | Oct 25, 2023 | Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness,… | ||
| CVE-2026-42255 | Hig | 0.47 | 7.2 | 0.00 | Apr 26, 2026 | Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation. | ||
| CVE-2026-40685 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2026 | In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping. | ||
| CVE-2026-34478 | Hig | 0.42 | 7.5 | 0.01 | Apr 10, 2026 | Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two… | ||
| CVE-2026-40684 | Med | 0.38 | 5.9 | 0.00 | Apr 30, 2026 | In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing. | ||
| CVE-2026-44597 | Low | 0.24 | 3.7 | 0.00 | May 7, 2026 | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | ||
| CVE-2025-54568 | Low | 0.24 | 3.7 | 0.00 | Jul 25, 2025 | Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node. | ||
| CVE-2026-35381 | Low | 0.14 | 3.3 | 0.00 | Apr 22, 2026 | A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized… | ||
| CVE-2026-35379 | Low | 0.14 | 3.3 | 0.00 | Apr 22, 2026 | A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class,… | ||
| CVE-2025-55174 | Low | 0.14 | 3.2 | 0.00 | Nov 26, 2025 | In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice::WriteOnly. | ||
| CVE-2020-11054 | 0.00 | — | 0.01 | May 7, 2020 | In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently… |
- risk 0.64cvss 9.8epss 0.01
FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI)…
- risk 0.53cvss 8.2epss 0.00
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.
- risk 0.49cvss 7.5epss 0.02
In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via…
- risk 0.49cvss 7.5epss 0.03
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness,…
- risk 0.47cvss 7.2epss 0.00
Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation.
- risk 0.42cvss 6.5epss 0.00
In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heap write can occur when a JSON operator encounters malformed JSON in an untrusted header, because of an incorrect implementation of \ skipping.
- risk 0.42cvss 7.5epss 0.01
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two…
- risk 0.38cvss 5.9epss 0.00
In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing.
- risk 0.24cvss 3.7epss 0.00
Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.
- risk 0.24cvss 3.7epss 0.00
Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node.
- risk 0.14cvss 3.3epss 0.00
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and -d '' (empty delimiter) options together. The implementation incorrectly routes this specific combination through a specialized…
- risk 0.14cvss 3.3epss 0.00
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space character (0x20) in the [:graph:] class and excludes it from the [:print:] class,…
- risk 0.14cvss 3.2epss 0.00
In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice::WriteOnly.
- CVE-2020-11054May 7, 2020risk 0.00cvss —epss 0.01
In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently…