CWE-20: Improper Input Validation

Adobe InDesign has an improper input validation vulnerability that allows attackers to cause denial-of-service by crashing the application. Users must...

This vulnerability in Windows Virtual Trusted Platform Module allows attackers to cause a denial of service by sending specially crafted requests. It ...

This vulnerability allows attackers to bypass access permission checks in the camera driver module, potentially causing denial of service. It affects ...

This CVE describes an access permission verification vulnerability in Huawei's WMS module that could allow unauthorized access to sensitive informatio...

A local attacker with CLI access can crash the 802.1X authentication daemon on vulnerable Juniper Junos OS devices by running a specific operational c...

A local privilege escalation vulnerability in Juniper Junos OS Evolved allows low-privileged users to crash the Packet Forwarding Engine by running a ...

This CVE describes an environment variable validation vulnerability in Apple operating systems that could allow malicious applications to access sensi...

CVE-2026-26952 is a stored HTML injection vulnerability in Pi-hole Admin Interface versions 6.4 and below. Authenticated administrators can inject mal...

Group-Office versions 6.8.148 and below, and 25.0.1 through 25.0.79 have a stored XSS vulnerability where unsanitized filenames are stored in the data...

This vulnerability allows remote attackers to bypass Chrome's dangerous file type protections on Windows systems. Attackers can trick users into downl...

A type confusion vulnerability in iccDEV's CIccTag::IsTypeCompressed() function allows attackers to potentially execute arbitrary code or cause denial...

This CVE describes an XML validation vulnerability in unspecified products that could allow cross-site scripting (XSS) attacks. Attackers could inject...

This TLS 1.2 vulnerability allows clients to use weaker cryptographic digests during certificate authentication than what the server requested, potent...

This vulnerability allows attackers to spoof domains in Chrome for Android downloads by tricking users with malicious HTML pages. It affects Android u...

This CVE describes an improper input validation vulnerability in the Mediawiki Growth Experiments extension that allows cross-site scripting (XSS) att...

This CVE describes a cross-site scripting (XSS) vulnerability in the Mediawiki Wikibase Media Info Extension caused by improper input validation. Atta...

This CVE describes an improper input validation vulnerability in the MediaWiki Wikidata Extension that allows cross-site scripting (XSS) attacks. Atta...

This CVE describes an improper input validation vulnerability in MediaWiki's HTML Tags extension that allows cross-site scripting (XSS) attacks. Attac...

Dell OpenManage Server Administrator (OMSA) versions 11.0.1.0 and prior contain an improper input validation vulnerability that allows remote low-priv...

This vulnerability allows attackers to inject HTML content into the password reset page via URL parameters. This affects all users accessing the vulne...

This vulnerability in Ruby on Rails Action Pack causes the Permissions-Policy HTTP header to be omitted from non-HTML responses, potentially allowing ...

Remote attackers can inject control characters into the ueId parameter of free5gc UDM's Nudm_UECM service, causing URL parsing errors that expose syst...

Improper input validation in the Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory. This vulner...

A denial-of-service vulnerability in Swift W3C TraceContext and Swift OTel allows remote attackers to crash services by sending malformed HTTP headers...

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML injection, allowing unauthenticated attackers to inject arbitrary HTML into wis...

CVE-2025-66400 is a vulnerability in mdast-util-to-hast versions 13.0.0 through 13.2.0 that allows attackers to inject multiple unprefixed classnames ...

A denial-of-service vulnerability in wolfSSL v5.8.2 allows remote attackers to crash TLS 1.3 connections by sending malicious ClientHello messages wit...

This vulnerability allows unauthenticated attackers to send appointment notification emails with attacker-controlled content through the WordPress Boo...

This vulnerability in Mintty terminal emulator allows attackers to force the application to access arbitrary network paths via malicious escape sequen...

ThinkDashboard versions 0.6.7 and below contain an arbitrary file upload vulnerability in the backup import feature. Attackers can bypass client-side ...

An input validation flaw in the 'ate' service of Tenda AC10 routers allows unauthenticated attackers to send crafted UDP packets to escalate privilege...

This vulnerability allows attackers to bypass JDBC URL validation in Apache Zeppelin by using URL-encoded input, potentially enabling unauthorized dat...

The WoodMart WordPress theme has an input validation vulnerability that allows unauthenticated attackers to manipulate shopping cart quantities using ...

This vulnerability in HumanSignal label-studio-ml-backend allows local attackers to execute arbitrary code through unsafe deserialization in the PT fi...

This vulnerability allows local attackers to execute arbitrary code through unsafe deserialization in the load_qc_pickl function of basestation3's QC....

This vulnerability in VITA-MLLM Freeze-Omni allows arbitrary code execution through unsafe deserialization in the torch.load function. Attackers can e...

This vulnerability allows attackers to create malicious OOXML files (like Excel, Word, or PowerPoint documents) with duplicate zip entries that can ca...

This vulnerability allows local attackers to execute arbitrary code through unsafe deserialization in the thu-pacman chitu package. Attackers can expl...

The Post Grid and Gutenberg Blocks – ComboBlocks WordPress plugin has an input validation vulnerability that allows unauthenticated attackers to cre...

This vulnerability involves improper input validation in UEFI firmware for certain Intel processors, allowing a privileged user with local access to p...

This vulnerability in Misskey allows attackers to manipulate 'origin' links in notes and user profiles to point to arbitrary HTTPS URLs, even on diffe...

Synapse versions before 1.120.1 fail to properly validate invites received over federation, allowing a malicious server to send specially crafted invi...

This vulnerability allows untrusted users to inject Contao insert tags into canonical URL tags, which are then processed and rendered on the front-end...

A segmentation fault vulnerability in Samsung's Escargot JavaScript engine allows remote attackers to cause denial of service through specially crafte...

This vulnerability in O-RAN Near-RT RIC's appmgr allows attackers to register unintended RMR message types during xApp registration, potentially disru...

This Windows Kernel vulnerability allows local attackers to read sensitive kernel memory due to improper input validation. It affects Windows systems ...

TinyEnv versions 1.0.9-1.0.10 fail to properly strip inline comments from .env file values, causing environment variables to contain unintended charac...

This vulnerability in Android's BroadcastController allows malicious apps to intercept system broadcasts intended only for the Android framework due t...

Emerson ValveLink products contain an input validation vulnerability (CWE-20) that could allow attackers to send malformed data to the system. This af...

A deserialization vulnerability in JeecgBoot 3.9.1 allows remote attackers to execute arbitrary code by manipulating the importDocumentFromZip functio...