CWE-20: Improper Input Validation

CVE-2024-26151 is an input validation vulnerability in the mjml PyPI package that allows cross-site scripting (XSS) attacks when untrusted data is ins...

This vulnerability in Zephyr RTOS Bluetooth stack allows unauthorized read/write access to Bluetooth characteristics that should require LE Secure Con...

This vulnerability in Intel Server Board BIOS firmware allows a privileged user with local access to potentially escalate privileges through improper ...

This vulnerability allows a privileged user with local access to potentially escalate privileges through improper input validation in Intel Server boa...

This vulnerability in Intel NUC BIOS firmware allows a privileged user with local access to potentially escalate privileges through improper input val...

This vulnerability allows a privileged user with local access to Intel NUC Rugged Kits, NUC Kits, and Compute Elements to potentially escalate privile...

This vulnerability in Envoy proxy allows attackers to bypass security controls by using mixed-case HTTP/HTTPS schemes (like 'htTp' or 'htTps') in HTTP...

This vulnerability allows local attackers to execute arbitrary code on Samsung mobile point-of-sale (mPOS) devices due to improper input validation in...

Envoy proxy versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 allow attackers to bypass JWT authentication by forging the x-envoy-original-pa...

CVE-2022-24818 is a JNDI injection vulnerability in GeoTools that allows remote code execution when user-controlled JNDI strings are processed. Simila...

This vulnerability in snapd allows malicious snaps to bypass strict confinement by injecting arbitrary AppArmor policy rules through malformed content...

This CVE describes a memory corruption vulnerability in Reolink RLC-410W IP cameras that allows attackers to execute arbitrary code via specially craf...

Apache XmlGraphics Commons versions 2.4 and earlier contain a server-side request forgery (SSRF) vulnerability in the XMPParser component. Attackers c...

This vulnerability in RustFS allows attackers to bypass upload policy restrictions in presigned POST uploads, enabling unauthorized file uploads that ...

This vulnerability allows an unauthorized attacker to execute arbitrary code on Windows Server Update Service (WSUS) servers by sending specially craf...

This Server-side Request Forgery (SSRF) vulnerability in LibreChat allows authenticated users to craft malicious OpenAPI specifications that trick the...

HCL iNotes has a reflected cross-site scripting vulnerability that allows attackers to execute malicious scripts in users' browsers by tricking them i...

CVE-2025-65946 is a command injection vulnerability in Roo Code AI coding agent versions before 3.26.7. Due to improper validation, Roo could automati...

This stored XSS vulnerability in Homarr allows attackers to execute arbitrary JavaScript in users' browsers by uploading a malicious SVG file, potenti...

This vulnerability in the Microsoft JDBC Driver for SQL Server allows attackers to perform spoofing attacks by sending specially crafted input over a ...

The WP JobHunt WordPress plugin has an Insecure Direct Object Reference vulnerability that allows authenticated attackers with Subscriber-level access...

This CVE describes a PHP object injection vulnerability in the WooCommerce Recover Abandoned Cart WordPress plugin. Unauthenticated attackers can expl...

This vulnerability allows attackers to spoof Microsoft Defender for Endpoint on Android, potentially tricking users into believing malicious apps are ...

This vulnerability allows authenticated users with minimal viewing privileges in i-Educar school management software to escalate their privileges to A...

This vulnerability in Apache DolphinScheduler allows authenticated users to read and write files they shouldn't have access to, potentially exposing s...

The EvilVideo vulnerability in Telegram for Android allows attackers to send malicious applications disguised as video files. When users open these fi...

This vulnerability in netty incubator codec.bhttp allows attackers to manipulate binary HTTP parsing to perform injection attacks. Attackers can achie...

This vulnerability allows attackers to spoof email sender information in Outlook for Windows, making malicious emails appear to come from trusted sour...

CVE-2024-28226 is an improper input validation vulnerability in OpenHarmony that allows remote attackers to cause denial of service (DoS) by sending s...

ZITADEL authentication management software versions before 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a cross-site scripting...

This vulnerability in Hydra (Cardano's scalability solution) allows a malicious head initializer to steal participant tokens (PTs) during protocol ini...

This vulnerability in Hydra (Cardano's layer-2 solution) allows malicious participants to manipulate the contestation deadline during head closure. At...

This path traversal vulnerability in OpenCart allows authenticated users with Log component modify privileges to delete arbitrary files on the server....

This vulnerability in Visual Studio Tools for Office Runtime allows attackers to spoof file paths, potentially tricking users into opening malicious f...

CVE-2023-38704 is a remote code execution vulnerability in import-in-the-middle, a module loading interceptor for ESM modules. It allows attackers to ...

This CVE describes a command injection vulnerability in the 'Release PR Merged' GitHub Actions workflow of the taosdata/grafanaplugin repository. Atta...

CLTPHP versions up to 6.0 contain an improper input validation vulnerability in the Template.php controller that allows attackers to execute arbitrary...

CVE-2023-26067 is an input validation vulnerability in Lexmark device embedded web servers that allows remote code execution. Attackers can exploit th...

Envoy proxy versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 fail to properly sanitize request properties when generating headers, allowing ...

This vulnerability in Splunk Enterprise allows higher-privileged users to bypass SPL safeguards for risky commands via the 'map' search command. It af...

CVE-2022-2385 is a privilege escalation vulnerability in aws-iam-authenticator where allow-listed IAM identities can modify their usernames to gain un...

CVE-2021-26617 is an input validation vulnerability in Firstmall that allows remote attackers to execute arbitrary code via the navercheckout_add func...

CVE-2020-25717 is a privilege escalation vulnerability in Samba's domain user mapping mechanism. Authenticated attackers can exploit this flaw to gain...

This vulnerability in Intel PROSet/Wireless WiFi and Killer WiFi drivers allows unauthenticated attackers on the same network to potentially cause den...

CVE-2022-23623 is an input validation vulnerability in the Frourio TypeScript framework where validators fail to properly validate request bodies and ...

CVE-2021-26612 is an improper input validation vulnerability in Nexacro platform's copy method that allows remote attackers to create arbitrary files ...

This vulnerability in Intel PROSet/Wireless WiFi and Killer WiFi software for Windows 10 allows unauthenticated attackers on the same network to poten...

CVE-2021-26607 is an improper input validation vulnerability in the execDefaultBrowser method of NEXACRO17 that allows remote attackers to execute arb...

This vulnerability allows remote attackers to execute arbitrary operating system commands on MONITORAPP Application Insight Web Application Firewall (...

This vulnerability allows an authorized attacker to exploit improper input validation in Power BI to execute arbitrary code remotely over a network. O...