VYPR

CWE-693

Protection Mechanism Failure

PillarDraft

Description

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-107 · CAPEC-127 · CAPEC-17 · CAPEC-20 · CAPEC-22 · CAPEC-237 · CAPEC-36 · CAPEC-477 · CAPEC-480 · CAPEC-51 · CAPEC-57 · CAPEC-59 · CAPEC-65 · CAPEC-668 · CAPEC-74 · CAPEC-87

CVEs mapped to this weakness (353)

page 13 of 18
  • CVE-2026-45459LowJun 9, 2026
    risk 0.21cvss 3.3epss 0.00

    Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.

  • CVE-2019-1003029KEVMar 8, 2019
    risk 0.21cvss epss 0.74

    A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows…

  • CVE-2019-1003030KEVMar 8, 2019
    risk 0.21cvss epss 0.76

    A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

  • CVE-2026-11684LowJun 9, 2026
    risk 0.20cvss 3.1epss 0.00

    Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-11247LowJun 5, 2026
    risk 0.20cvss 3.1epss 0.00

    Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-8572LowMay 14, 2026
    risk 0.20cvss 3.1epss 0.00

    Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-8568LowMay 14, 2026
    risk 0.20cvss 3.1epss 0.00

    Insufficient policy enforcement in AI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-7959LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-7937LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)

  • CVE-2026-7909LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-33883MedApr 28, 2024
    risk 0.19cvss 4.0epss 0.01

    The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

  • CVE-2026-44071LowMay 21, 2026
    risk 0.17cvss 3.7epss 0.00

    Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by…

  • CVE-2026-39419LowApr 14, 2026
    risk 0.13cvss 3.1epss 0.00

    MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then…

  • CVE-2026-30904LowMay 13, 2026
    risk 0.12cvss 1.8epss 0.00

    Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access.

  • CVE-2017-3893LowNov 14, 2017
    risk 0.12cvss 1.9epss 0.01

    In BlackBerry QNX Software Development Platform (SDP) 6.6.0, the default configuration of the QNX SDP system did not in all circumstances prevent attackers from modifying the GOT or PLT tables with buffer overflow attacks.

  • CVE-2025-66479LowDec 4, 2025
    risk 0.05cvss epss 0.00

    Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a…

  • CVE-2018-6794MedFeb 7, 2018
    risk 0.05cvss 5.3epss 0.30

    Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients…

  • CVE-2024-34144May 2, 2024
    risk 0.04cvss epss 0.48

    A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary…

  • CVE-2019-1003000Jan 22, 2019
    risk 0.04cvss epss 0.98

    A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins…

  • CVE-2026-54762Jun 19, 2026
    risk 0.00cvss epss 0.00

    ## Summary There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and…