VYPR

CWE-841

Improper Enforcement of Behavioral Workflow

ClassIncomplete

Description

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (22)

page 1 of 2
  • CVE-2026-34582CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.00

    Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed…

  • CVE-2026-43974HigJun 8, 2026
    risk 0.50cvss epss 0.00

    Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gun_http:handle_inform/8, when a 101 Switching Protocols…

  • CVE-2026-43937HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.00

    YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor…

  • CVE-2026-30574HigMar 27, 2026
    risk 0.49cvss 7.5epss 0.00

    A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to…

  • CVE-2023-5921HigNov 22, 2023
    risk 0.46cvss 7.1epss 0.00

    Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass. This issue affects Geodi: before 8.0.0.27396.

  • CVE-2026-41259HigApr 23, 2026
    risk 0.42cvss 7.5epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that…

  • CVE-2026-42246HigMay 9, 2026
    risk 0.41cvss 7.4epss 0.00

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched…

  • CVE-2024-13065MedSep 3, 2025
    risk 0.41cvss 6.3epss 0.00

    Improper Enforcement of Behavioral Workflow, Uncontrolled Resource Consumption vulnerability in Akinsoft MyRezzta allows Input Data Manipulation, CAPEC - 125 - Flooding. This issue affects MyRezzta: from s2.02.02 before v2.05.01.

  • CVE-2024-12543MedApr 21, 2025
    risk 0.38cvss epss 0.00

    User Enumeration and Data Integrity in Barcode functionality in OpenText Content Management versions 24.3-25.1on Windows and Linux allows a malicous authenticated attacker to potentially alter barcode attributes.

  • CVE-2024-44128MedSep 17, 2024
    risk 0.36cvss 5.5epss 0.00

    This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7, macOS Ventura 13.7. An Automator Quick Action workflow may be able to bypass Gatekeeper.

  • CVE-2026-46540MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, when LightBlockchain::rebranch() adopts a fork chain whose tip is a macro block (checkpoint or election), it only updates self.head but fails…

  • CVE-2026-45023MedMay 28, 2026
    risk 0.35cvss 5.4epss 0.00

    AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit…

  • CVE-2025-58051MedOct 16, 2025
    risk 0.35cvss 6.5epss 0.00

    Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and…

  • CVE-2026-42303MedMay 12, 2026
    risk 0.33cvss epss 0.00

    Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request…

  • CVE-2025-13129MedDec 1, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse. This issue affects Onaylarım: from 25.09.26.01 through 18112025.

  • CVE-2025-13239MedNov 16, 2025
    risk 0.28cvss 4.3epss 0.00

    A security vulnerability has been detected in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5. Affected by this issue is some unknown functionality of the file /submit_checkout. Such manipulation of the argument order_total_amount/cart_total_amount leads…

  • CVE-2024-37296MedJun 11, 2024
    risk 0.27cvss 5.3epss 0.01

    The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g.…

  • CVE-2026-8477LowMay 22, 2026
    risk 0.18cvss 2.7epss 0.00

    Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API…

  • CVE-2025-48376May 23, 2025
    risk 0.00cvss epss 0.00

    DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported. Version 9.13.9 fixes the issue.

  • CVE-2024-39325Jul 2, 2024
    risk 0.00cvss epss 0.00

    aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions…