CWE-754
Improper Check for Unusual or Exceptional Conditions
Description
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Hierarchy (View 1000)
CVEs mapped to this weakness (226)
page 9 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-27457 | Low | 0.16 | 2.5 | 0.00 | Oct 8, 2024 | Improper check for unusual or exceptional conditions in Intel(R) TDX Module firmware before version 1.5.06 may allow a privileged user to potentially enable information disclosure via local access. | ||
| CVE-2026-3109 | Low | 0.14 | 2.2 | 0.00 | Mar 26, 2026 | Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584 | ||
| CVE-2024-2502 | Low | 0.13 | 2.0 | 0.00 | Aug 29, 2024 | An application can be configured to block boot attempts after consecutive tamper resets are detected, which may not occur as expected. This is possible because the TAMPERRSTCAUSE register may not be properly updated when a level 4 tamper event (a tamper reset) occurs. This… | ||
| CVE-2026-54775 | 0.00 | — | — | Jun 19, 2026 | ### Impact A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic. #### Preconditions The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits… | |||
| CVE-2026-54269 | 0.00 | — | 0.00 | Jun 15, 2026 | ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection… | |||
| CVE-2026-20719 | 0.00 | — | 0.00 | Mar 25, 2026 | Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub..… | |||
| CVE-2026-23991 | 0.00 | — | 0.01 | Jan 22, 2026 | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,… | |||
| CVE-2025-13080 | 0.00 | — | 0.00 | Nov 18, 2025 | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | |||
| CVE-2025-62783 | — | 0.00 | — | 0.00 | Oct 27, 2025 | InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server.… | ||
| CVE-2025-54463 | 0.00 | — | 0.00 | Aug 11, 2025 | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. | |||
| CVE-2025-53514 | 0.00 | — | 0.00 | Aug 11, 2025 | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. | |||
| CVE-2025-52931 | 0.00 | — | 0.00 | Aug 11, 2025 | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body. | |||
| CVE-2025-32997 | 0.00 | — | 0.00 | Apr 15, 2025 | In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed. | |||
| CVE-2025-22445 | 0.00 | — | 0.00 | Jan 9, 2025 | Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. | |||
| CVE-2024-52316 | — | 0.00 | — | 0.06 | Nov 18, 2024 | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to… | ||
| CVE-2024-43435 | 0.00 | — | 0.00 | Nov 11, 2024 | A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary. | |||
| CVE-2024-43044 | 0.00 | — | 0.29 | Aug 7, 2024 | Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. | |||
| CVE-2024-39832 | 0.00 | — | 0.00 | Aug 1, 2024 | Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled. | |||
| CVE-2024-36128 | 0.00 | — | 0.01 | Jun 3, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This… | |||
| CVE-2024-4182 | 0.00 | — | 0.01 | Apr 26, 2024 | Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status. |
- risk 0.16cvss 2.5epss 0.00
Improper check for unusual or exceptional conditions in Intel(R) TDX Module firmware before version 1.5.06 may allow a privileged user to potentially enable information disclosure via local access.
- risk 0.14cvss 2.2epss 0.00
Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584
- risk 0.13cvss 2.0epss 0.00
An application can be configured to block boot attempts after consecutive tamper resets are detected, which may not occur as expected. This is possible because the TAMPERRSTCAUSE register may not be properly updated when a level 4 tamper event (a tamper reset) occurs. This…
- CVE-2026-54775Jun 19, 2026risk 0.00cvss —epss —
### Impact A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic. #### Preconditions The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits…
- CVE-2026-54269Jun 15, 2026risk 0.00cvss —epss 0.00
## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection…
- CVE-2026-20719Mar 25, 2026risk 0.00cvss —epss 0.00
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub..…
- CVE-2026-23991Jan 22, 2026risk 0.00cvss —epss 0.01
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,…
- CVE-2025-13080Nov 18, 2025risk 0.00cvss —epss 0.00
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
- CVE-2025-62783Oct 27, 2025risk 0.00cvss —epss 0.00
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server.…
- CVE-2025-54463Aug 11, 2025risk 0.00cvss —epss 0.00
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.
- CVE-2025-53514Aug 11, 2025risk 0.00cvss —epss 0.00
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.
- CVE-2025-52931Aug 11, 2025risk 0.00cvss —epss 0.00
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body.
- CVE-2025-32997Apr 15, 2025risk 0.00cvss —epss 0.00
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
- CVE-2025-22445Jan 9, 2025risk 0.00cvss —epss 0.00
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
- CVE-2024-52316Nov 18, 2024risk 0.00cvss —epss 0.06
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to…
- CVE-2024-43435Nov 11, 2024risk 0.00cvss —epss 0.00
A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.
- CVE-2024-43044Aug 7, 2024risk 0.00cvss —epss 0.29
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
- CVE-2024-39832Aug 1, 2024risk 0.00cvss —epss 0.00
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.
- CVE-2024-36128Jun 3, 2024risk 0.00cvss —epss 0.01
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This…
- CVE-2024-4182Apr 26, 2024risk 0.00cvss —epss 0.01
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.