CWE-754
Improper Check for Unusual or Exceptional Conditions
Description
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Hierarchy (View 1000)
CVEs mapped to this weakness (226)
page 8 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41662 | Med | 0.27 | 5.2 | 0.00 | May 7, 2026 | Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the… | ||
| CVE-2026-34066 | Med | 0.27 | 5.3 | 0.00 | Apr 22, 2026 | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within… | ||
| CVE-2026-40249 | Med | 0.27 | 5.3 | 0.00 | Apr 16, 2026 | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/{subsId} does not return after request body retrieval or… | ||
| CVE-2025-43883 | Med | 0.27 | 4.1 | 0.00 | Apr 16, 2026 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | ||
| CVE-2024-51502 | Med | 0.26 | — | 0.00 | Nov 4, 2024 | loona is an experimental, HTTP/1.1 and HTTP/2 implementation in Rust on top of io-uring. `loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in issue #11. All users who try to decode untrusted input using the Decoder are vulnerable to this… | ||
| CVE-2026-8491 | Low | 0.24 | 3.7 | 0.00 | May 19, 2026 | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1. | ||
| CVE-2026-4643 | Low | 0.23 | 3.5 | 0.00 | May 18, 2026 | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the… | ||
| CVE-2026-41377 | Med | 0.23 | 4.6 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings. | ||
| CVE-2025-22848 | Low | 0.23 | 3.5 | 0.00 | May 13, 2025 | Improper conditions check for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. | ||
| CVE-2026-35366 | Med | 0.22 | 4.4 | 0.00 | Apr 22, 2026 | The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This… | ||
| CVE-2026-40094 | Med | 0.21 | 4.3 | 0.00 | May 20, 2026 | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A… | ||
| CVE-2026-4054 | Med | 0.21 | 4.3 | 0.00 | May 15, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header… | ||
| CVE-2026-39395 | Med | 0.21 | 4.3 | 0.00 | Apr 7, 2026 | Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and… | ||
| CVE-2025-33030 | Low | 0.21 | 3.3 | 0.00 | Feb 10, 2026 | Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data corruption. This… | ||
| CVE-2023-6742 | Med | 0.21 | 4.3 | 0.00 | Jan 11, 2024 | The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This makes it… | ||
| CVE-2026-24513 | Low | 0.20 | 3.1 | 0.00 | Feb 3, 2026 | A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration… | ||
| CVE-2025-52136 | Low | 0.20 | 3.0 | 0.00 | Aug 10, 2025 | In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard… | ||
| CVE-2025-32739 | Low | 0.18 | 2.8 | 0.00 | Feb 10, 2026 | Improper conditions check in some firmware for some Intel(R) Graphics Drivers and Intel LTS kernels within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable denial of… | ||
| CVE-2026-49318 | Low | 0.16 | 2.4 | 0.00 | May 29, 2026 | Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during… | ||
| CVE-2026-49317 | Low | 0.16 | 2.4 | 0.00 | May 29, 2026 | Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during… |
- risk 0.27cvss 5.2epss 0.00
Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the…
- risk 0.27cvss 5.3epss 0.00
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within…
- risk 0.27cvss 5.3epss 0.00
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/{subsId} does not return after request body retrieval or…
- risk 0.27cvss 4.1epss 0.00
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service.
- risk 0.26cvss —epss 0.00
loona is an experimental, HTTP/1.1 and HTTP/2 implementation in Rust on top of io-uring. `loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in issue #11. All users who try to decode untrusted input using the Decoder are vulnerable to this…
- risk 0.24cvss 3.7epss 0.00
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
- risk 0.23cvss 3.5epss 0.00
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the…
- risk 0.23cvss 4.6epss 0.00
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.
- risk 0.23cvss 3.5epss 0.00
Improper conditions check for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access.
- risk 0.22cvss 4.4epss 0.00
The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This…
- risk 0.21cvss 4.3epss 0.00
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A…
- risk 0.21cvss 4.3epss 0.00
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header…
- risk 0.21cvss 4.3epss 0.00
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and…
- risk 0.21cvss 3.3epss 0.00
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data corruption. This…
- risk 0.21cvss 4.3epss 0.00
The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This makes it…
- risk 0.20cvss 3.1epss 0.00
A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration…
- risk 0.20cvss 3.0epss 0.00
In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard…
- risk 0.18cvss 2.8epss 0.00
Improper conditions check in some firmware for some Intel(R) Graphics Drivers and Intel LTS kernels within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable denial of…
- risk 0.16cvss 2.4epss 0.00
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during…
- risk 0.16cvss 2.4epss 0.00
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during…