CWE-1287
AllowedImproper Validation of Specified Type of Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
259 vulnerabilities reference this CWE, most recent first.
GHSA-F2H8-4W6P-535W
Vulnerability from github – Published: 2025-01-06 15:31 – Updated: 2025-11-03 21:32OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins.
{
"affected": [],
"aliases": [
"CVE-2024-5594"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T14:15:08Z",
"severity": "CRITICAL"
},
"details": "OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins.",
"id": "GHSA-f2h8-4w6p-535w",
"modified": "2025-11-03T21:32:03Z",
"published": "2025-01-06T15:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5594"
},
{
"type": "WEB",
"url": "https://community.openvpn.net/openvpn/wiki/CVE-2024-5594"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F3VJ-J2M6-8HFJ
Vulnerability from github – Published: 2026-02-12 15:32 – Updated: 2026-02-12 15:32Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
{
"affected": [],
"aliases": [
"CVE-2026-2003"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T14:16:02Z",
"severity": "MODERATE"
},
"details": "Improper validation of type \"oidvector\" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.",
"id": "GHSA-f3vj-j2m6-8hfj",
"modified": "2026-02-12T15:32:48Z",
"published": "2026-02-12T15:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2003"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/support/security/CVE-2026-2003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F54H-78C9-C24H
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:11For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-7887"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T21:11:57Z",
"nvd_published_at": "2026-05-21T22:16:49Z",
"severity": "LOW"
},
"details": "For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A\u00a0user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.\u00a0",
"id": "GHSA-f54h-78c9-c24h",
"modified": "2026-06-24T21:11:57Z",
"published": "2026-05-22T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7887"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status"
}
GHSA-F6MQ-5M25-4R72
Vulnerability from github – Published: 2021-06-15 16:08 – Updated: 2024-09-17 15:38Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.mongodb.org/mongo-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20329"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-14T19:11:50Z",
"nvd_published_at": "2021-06-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.",
"id": "GHSA-f6mq-5m25-4r72",
"modified": "2024-09-17T15:38:07Z",
"published": "2021-06-15T16:08:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20329"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/mongo-go-driver/pull/622"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongodb/mongo-go-driver"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/GODRIVER-1923"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "go.mongodb.org/mongo-driver improperly validates cstrings when marshalling Go objects into BSON"
}
GHSA-F6RP-FG8W-F27C
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-59277"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:16:09Z",
"severity": "HIGH"
},
"details": "Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-f6rp-fg8w-f27c",
"modified": "2025-10-14T18:30:36Z",
"published": "2025-10-14T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59277"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59277"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F6XW-XQHC-GWG3
Vulnerability from github – Published: 2025-04-08 06:30 – Updated: 2025-04-08 06:3051l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.
{
"affected": [],
"aliases": [
"CVE-2024-47261"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T06:15:43Z",
"severity": "MODERATE"
},
"details": "51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.",
"id": "GHSA-f6xw-xqhc-gwg3",
"modified": "2025-04-08T06:30:40Z",
"published": "2025-04-08T06:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47261"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/18/c5/b2/cve-2024-47261pdf-en-US-474505.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FH66-FCV5-JJFR
Vulnerability from github – Published: 2025-10-08 17:51 – Updated: 2025-10-08 17:51Impact
Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.
Patches
Patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2.
Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, it is recommend to skip these releases and upgrading straight to 1.138.4 and 1.139.2.
Workarounds
The vulnerability can only be exploited by users registered on the victim homeserver.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "matrix-synapse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.138.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "matrix-synapse"
},
"ranges": [
{
"events": [
{
"introduced": "1.139.0rc2"
},
{
"fixed": "1.139.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61672"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-08T17:51:02Z",
"nvd_published_at": "2025-10-08T15:16:25Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nLack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. \n\n### Patches\n\nPatched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2.\n\nNote that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, it is recommend to skip these releases and upgrading straight to 1.138.4 and 1.139.2.\n\n### Workarounds\n\nThe vulnerability can only be exploited by users registered on the victim homeserver.",
"id": "GHSA-fh66-fcv5-jjfr",
"modified": "2025-10-08T17:51:02Z",
"published": "2025-10-08T17:51:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61672"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/pull/17097"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
},
{
"type": "PACKAGE",
"url": "https://github.com/element-hq/synapse"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/releases/tag/v1.138.4"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
},
{
"type": "WEB",
"url": "https://github.com/element-hq/synapse/releases/tag/v1.139.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Synapse\u0027s invalid device keys degrade federation functionality"
}
GHSA-FPRQ-VH7M-8QFM
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Improper validation of specified type of input in Microsoft Windows allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-55701"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:52Z",
"severity": "HIGH"
},
"details": "Improper validation of specified type of input in Microsoft Windows allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-fprq-vh7m-8qfm",
"modified": "2025-10-14T18:30:32Z",
"published": "2025-10-14T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55701"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55701"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQ5R-22JJ-7J7Q
Vulnerability from github – Published: 2025-02-05 00:31 – Updated: 2025-02-05 00:31Improper Validation of Specified Type of Input vulnerability in OpenText™ Content Management (Extended ECM) allows Parameter Injection.
A bad actor with the required OpenText Content Management privileges (not root) could expose the vulnerability to carry out a remote code execution attack on the target system.
This issue affects Content Management (Extended ECM): from 10.0 through 24.4
with WebReports module installed and enabled.
{
"affected": [],
"aliases": [
"CVE-2024-8125"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T22:15:41Z",
"severity": "MODERATE"
},
"details": "Improper Validation of Specified Type of Input vulnerability in OpenText\u2122 Content Management (Extended ECM) allows Parameter Injection.\u00a0\n\nA bad actor with the required OpenText Content Management privileges (not root) could expose\nthe vulnerability to carry out a remote code execution attack on the target system.\n\nThis issue affects Content Management (Extended ECM): from 10.0 through 24.4\u00a0\n\n with WebReports module\ninstalled and enabled.",
"id": "GHSA-fq5r-22jj-7j7q",
"modified": "2025-02-05T00:31:13Z",
"published": "2025-02-05T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8125"
},
{
"type": "WEB",
"url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated\u0026sysparm_article=KB0834058"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:C/RE:H/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-FRC9-G2R4-48W5
Vulnerability from github – Published: 2023-06-22 21:30 – Updated: 2024-10-17 15:31A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.
{
"affected": [],
"aliases": [
"CVE-2023-28799"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20",
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-22T20:15:09Z",
"severity": "MODERATE"
},
"details": "\nA URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.\u00a0",
"id": "GHSA-frc9-g2r4-48w5",
"modified": "2024-10-17T15:31:06Z",
"published": "2023-06-22T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28799"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux\u0026applicable_version=1.4\u0026deployment_date=2022-10-31\u0026id=1420246"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android\u0026applicable_version=1.10.2\u0026deployment_date=2023-03-09\u0026id=1447706"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS\u0026applicable_version=1.10.1\u0026deployment_date=2023-03-10\u0026id=1447771"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS\u0026applicable_version=1.9.3\u0026deployment_date=2023-03-03\u0026id=1447071"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS\u0026applicable_version=3.9\u0026deployment_date=2023-01-25\u0026id=1443546"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows\u0026applicable_version=3.7\u0026deployment_date=2021-11-26\u0026id=1386541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.