Common Weakness Enumeration

CWE-1287

Allowed

Improper Validation of Specified Type of Input

Abstraction: Base · Status: Incomplete

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

259 vulnerabilities reference this CWE, most recent first.

GHSA-F2H8-4W6P-535W

Vulnerability from github – Published: 2025-01-06 15:31 – Updated: 2025-11-03 21:32
VLAI
Details

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T14:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins.",
  "id": "GHSA-f2h8-4w6p-535w",
  "modified": "2025-11-03T21:32:03Z",
  "published": "2025-01-06T15:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5594"
    },
    {
      "type": "WEB",
      "url": "https://community.openvpn.net/openvpn/wiki/CVE-2024-5594"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3VJ-J2M6-8HFJ

Vulnerability from github – Published: 2026-02-12 15:32 – Updated: 2026-02-12 15:32
VLAI
Details

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T14:16:02Z",
    "severity": "MODERATE"
  },
  "details": "Improper validation of type \"oidvector\" in PostgreSQL allows a database user to disclose a few bytes of server memory.  We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.  Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.",
  "id": "GHSA-f3vj-j2m6-8hfj",
  "modified": "2026-02-12T15:32:48Z",
  "published": "2026-02-12T15:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2003"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2026-2003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F54H-78C9-C24H

Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:11
VLAI
Summary
Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status
Details

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. 

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-7887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-24T21:11:57Z",
    "nvd_published_at": "2026-05-21T22:16:49Z",
    "severity": "LOW"
  },
  "details": "For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A\u00a0user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.\u00a0",
  "id": "GHSA-f54h-78c9-c24h",
  "modified": "2026-06-24T21:11:57Z",
  "published": "2026-05-22T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7887"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status"
}

GHSA-F6MQ-5M25-4R72

Vulnerability from github – Published: 2021-06-15 16:08 – Updated: 2024-09-17 15:38
VLAI
Summary
go.mongodb.org/mongo-driver improperly validates cstrings when marshalling Go objects into BSON
Details

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.mongodb.org/mongo-driver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-14T19:11:50Z",
    "nvd_published_at": "2021-06-10T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.",
  "id": "GHSA-f6mq-5m25-4r72",
  "modified": "2024-09-17T15:38:07Z",
  "published": "2021-06-15T16:08:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-go-driver/pull/622"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mongodb/mongo-go-driver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/GODRIVER-1923"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go.mongodb.org/mongo-driver improperly validates cstrings when marshalling Go objects into BSON"
}

GHSA-F6RP-FG8W-F27C

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:16:09Z",
    "severity": "HIGH"
  },
  "details": "Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-f6rp-fg8w-f27c",
  "modified": "2025-10-14T18:30:36Z",
  "published": "2025-10-14T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59277"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59277"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F6XW-XQHC-GWG3

Vulnerability from github – Published: 2025-04-08 06:30 – Updated: 2025-04-08 06:30
VLAI
Details

51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T06:15:43Z",
    "severity": "MODERATE"
  },
  "details": "51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.",
  "id": "GHSA-f6xw-xqhc-gwg3",
  "modified": "2025-04-08T06:30:40Z",
  "published": "2025-04-08T06:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47261"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/18/c5/b2/cve-2024-47261pdf-en-US-474505.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FH66-FCV5-JJFR

Vulnerability from github – Published: 2025-10-08 17:51 – Updated: 2025-10-08 17:51
VLAI
Summary
Synapse's invalid device keys degrade federation functionality
Details

Impact

Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.

Patches

Patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2.

Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, it is recommend to skip these releases and upgrading straight to 1.138.4 and 1.139.2.

Workarounds

The vulnerability can only be exploited by users registered on the victim homeserver.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.138.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.139.0rc2"
            },
            {
              "fixed": "1.139.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-08T17:51:02Z",
    "nvd_published_at": "2025-10-08T15:16:25Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nLack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. \n\n### Patches\n\nPatched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2.\n\nNote that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, it is recommend to skip these releases and upgrading straight to 1.138.4 and 1.139.2.\n\n### Workarounds\n\nThe vulnerability can only be exploited by users registered on the victim homeserver.",
  "id": "GHSA-fh66-fcv5-jjfr",
  "modified": "2025-10-08T17:51:02Z",
  "published": "2025-10-08T17:51:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/pull/17097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/element-hq/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Synapse\u0027s invalid device keys degrade federation functionality"
}

GHSA-FPRQ-VH7M-8QFM

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Improper validation of specified type of input in Microsoft Windows allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:52Z",
    "severity": "HIGH"
  },
  "details": "Improper validation of specified type of input in Microsoft Windows allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-fprq-vh7m-8qfm",
  "modified": "2025-10-14T18:30:32Z",
  "published": "2025-10-14T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55701"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55701"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ5R-22JJ-7J7Q

Vulnerability from github – Published: 2025-02-05 00:31 – Updated: 2025-02-05 00:31
VLAI
Details

Improper Validation of Specified Type of Input vulnerability in OpenText™ Content Management (Extended ECM) allows Parameter Injection. 

A bad actor with the required OpenText Content Management privileges (not root) could expose the vulnerability to carry out a remote code execution attack on the target system.

This issue affects Content Management (Extended ECM): from 10.0 through 24.4 

with WebReports module installed and enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-04T22:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Improper Validation of Specified Type of Input vulnerability in OpenText\u2122 Content Management (Extended ECM) allows Parameter Injection.\u00a0\n\nA bad actor with the required OpenText Content Management privileges (not root) could expose\nthe vulnerability to carry out a remote code execution attack on the target system.\n\nThis issue affects Content Management (Extended ECM): from 10.0 through 24.4\u00a0\n\n with WebReports module\ninstalled and enabled.",
  "id": "GHSA-fq5r-22jj-7j7q",
  "modified": "2025-02-05T00:31:13Z",
  "published": "2025-02-05T00:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8125"
    },
    {
      "type": "WEB",
      "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated\u0026sysparm_article=KB0834058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:C/RE:H/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FRC9-G2R4-48W5

Vulnerability from github – Published: 2023-06-22 21:30 – Updated: 2024-10-17 15:31
VLAI
Details

A URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287",
      "CWE-20",
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-22T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nA URL parameter during login flow was vulnerable to injection. An attacker could insert a malicious domain in this parameter, which would redirect the user after auth and send the authorization token to the redirected domain.\u00a0",
  "id": "GHSA-frc9-g2r4-48w5",
  "modified": "2024-10-17T15:31:06Z",
  "published": "2023-06-22T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28799"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux\u0026applicable_version=1.4\u0026deployment_date=2022-10-31\u0026id=1420246"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Android\u0026applicable_version=1.10.2\u0026deployment_date=2023-03-09\u0026id=1447706"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Chrome%20OS\u0026applicable_version=1.10.1\u0026deployment_date=2023-03-10\u0026id=1447771"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=iOS\u0026applicable_version=1.9.3\u0026deployment_date=2023-03-03\u0026id=1447071"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macOS\u0026applicable_version=3.9\u0026deployment_date=2023-01-25\u0026id=1443546"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021?applicable_category=Windows\u0026applicable_version=3.7\u0026deployment_date=2021-11-26\u0026id=1386541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

No CAPEC attack patterns related to this CWE.