CWE-837
Improper Enforcement of a Single, Unique Action
Description
The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42609 | Hig | 0.46 | 8.1 | 0.00 | May 11, 2026 | Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a… | ||
| CVE-2024-11717 | Med | 0.41 | — | 0.01 | Jan 2, 2025 | Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might… | ||
| CVE-2025-54315 | Hig | 0.39 | 7.1 | 0.00 | Oct 2, 2025 | The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness. | ||
| CVE-2024-11716 | Med | 0.35 | — | 0.12 | Jan 2, 2025 | While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.… | ||
| CVE-2024-12123 | Med | 0.34 | — | 0.00 | Dec 4, 2024 | A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy. The ticket requester… | ||
| CVE-2026-44601 | Low | 0.24 | 3.7 | 0.00 | May 7, 2026 | Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009. | ||
| CVE-2025-62784 | — | 0.00 | — | 0.00 | Oct 27, 2025 | InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental… | ||
| CVE-2025-62783 | — | 0.00 | — | 0.00 | Oct 27, 2025 | InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server.… | ||
| CVE-2025-62782 | — | 0.00 | — | 0.00 | Oct 27, 2025 | InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The… | ||
| CVE-2024-4629 | 0.00 | — | 0.01 | Sep 3, 2024 | A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system… |
- risk 0.46cvss 8.1epss 0.00
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a…
- risk 0.41cvss —epss 0.01
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might…
- risk 0.39cvss 7.1epss 0.00
The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness.
- risk 0.35cvss —epss 0.12
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.…
- risk 0.34cvss —epss 0.00
A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy. The ticket requester…
- risk 0.24cvss 3.7epss 0.00
Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.
- CVE-2025-62784Oct 27, 2025risk 0.00cvss —epss 0.00
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental…
- CVE-2025-62783Oct 27, 2025risk 0.00cvss —epss 0.00
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server.…
- CVE-2025-62782Oct 27, 2025risk 0.00cvss —epss 0.00
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The…
- CVE-2024-4629Sep 3, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system…