CWE-693
Protection Mechanism Failure
Description
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-107 · CAPEC-127 · CAPEC-17 · CAPEC-20 · CAPEC-22 · CAPEC-237 · CAPEC-36 · CAPEC-477 · CAPEC-480 · CAPEC-51 · CAPEC-57 · CAPEC-59 · CAPEC-65 · CAPEC-668 · CAPEC-74 · CAPEC-87
CVEs mapped to this weakness (353)
page 13 of 18| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45459 | Low | 0.21 | 3.3 | 0.00 | Jun 9, 2026 | Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | ||
| CVE-2019-1003029 | 0.21 | — | 0.74 | KEV | Mar 8, 2019 | A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows… | ||
| CVE-2019-1003030 | 0.21 | — | 0.76 | KEV | Mar 8, 2019 | A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM. | ||
| CVE-2026-11684 | Low | 0.20 | 3.1 | 0.00 | Jun 9, 2026 | Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2026-11247 | Low | 0.20 | 3.1 | 0.00 | Jun 5, 2026 | Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-8572 | Low | 0.20 | 3.1 | 0.00 | May 14, 2026 | Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-8568 | Low | 0.20 | 3.1 | 0.00 | May 14, 2026 | Insufficient policy enforcement in AI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-7959 | Low | 0.20 | 3.1 | 0.00 | May 6, 2026 | Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-7937 | Low | 0.20 | 3.1 | 0.00 | May 6, 2026 | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2026-7909 | Low | 0.20 | 3.1 | 0.00 | May 6, 2026 | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2024-33883 | Med | 0.19 | 4.0 | 0.01 | Apr 28, 2024 | The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection. | ||
| CVE-2026-44071 | Low | 0.17 | 3.7 | 0.00 | May 21, 2026 | Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by… | ||
| CVE-2026-39419 | Low | 0.13 | 3.1 | 0.00 | Apr 14, 2026 | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then… | ||
| CVE-2026-30904 | Low | 0.12 | 1.8 | 0.00 | May 13, 2026 | Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access. | ||
| CVE-2017-3893 | Low | 0.12 | 1.9 | 0.01 | Nov 14, 2017 | In BlackBerry QNX Software Development Platform (SDP) 6.6.0, the default configuration of the QNX SDP system did not in all circumstances prevent attackers from modifying the GOT or PLT tables with buffer overflow attacks. | ||
| CVE-2025-66479 | Low | 0.05 | — | 0.00 | Dec 4, 2025 | Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a… | ||
| CVE-2018-6794 | Med | 0.05 | 5.3 | 0.30 | Feb 7, 2018 | Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients… | ||
| CVE-2024-34144 | 0.04 | — | 0.48 | May 2, 2024 | A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary… | |||
| CVE-2019-1003000 | 0.04 | — | 0.98 | Jan 22, 2019 | A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins… | |||
| CVE-2026-54762 | 0.00 | — | 0.00 | Jun 19, 2026 | ## Summary There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and… |
- risk 0.21cvss 3.3epss 0.00
Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
- risk 0.21cvss —epss 0.74
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows…
- risk 0.21cvss —epss 0.76
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
- risk 0.20cvss 3.1epss 0.00
Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- risk 0.20cvss 3.1epss 0.00
Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
- risk 0.20cvss 3.1epss 0.00
Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.20cvss 3.1epss 0.00
Insufficient policy enforcement in AI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.20cvss 3.1epss 0.00
Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.20cvss 3.1epss 0.00
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.20cvss 3.1epss 0.00
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
- risk 0.19cvss 4.0epss 0.01
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
- risk 0.17cvss 3.7epss 0.00
Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by…
- risk 0.13cvss 3.1epss 0.00
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then…
- risk 0.12cvss 1.8epss 0.00
Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access.
- risk 0.12cvss 1.9epss 0.01
In BlackBerry QNX Software Development Platform (SDP) 6.6.0, the default configuration of the QNX SDP system did not in all circumstances prevent attackers from modifying the GOT or PLT tables with buffer overflow attacks.
- risk 0.05cvss —epss 0.00
Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a…
- risk 0.05cvss 5.3epss 0.30
Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients…
- CVE-2024-34144May 2, 2024risk 0.04cvss —epss 0.48
A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary…
- CVE-2019-1003000Jan 22, 2019risk 0.04cvss —epss 0.98
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins…
- CVE-2026-54762Jun 19, 2026risk 0.00cvss —epss 0.00
## Summary There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and…