CWE-184

Incomplete List of Disallowed Inputs

Parent: CWE-693 - Protection Mechanism Failure

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

122 vulnerabilities with CWE-184
CVE-2026-53836 HIGH
OpenClaw < 2026.5.12 - Allowlist Bypass via PowerShell Encoded-Command Aliases
CVSS 8.8
CVE-2026-48557 HIGH
Spatie Laravel Media Library < 11.23.0 File Upload Restriction Bypass via FileAdder.php
CVSS 8.8
CVE-2026-44287 MEDIUM
FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable
CVSS 6.3
CVE-2026-44463 HIGH
Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions
CVSS 8.6
CVE-2026-44462 MEDIUM
Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions
CVSS 6.4
CVE-2026-45037 HIGH
Tabby: Unsafe protocol handler execution via terminal linkifier allows arbitrary OS protocol invocation
CVSS 7.1
CVE-2026-42590 HIGH
Gotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist
CVSS 8.2
CVE-2026-40893 HIGH
Gotenberg: ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names Allows Arbitrary File Rename and Move
CVSS 8.2
CVE-2026-43929 HIGH
ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
CVSS 8.2
CVE-2026-43991 HIGH
JunoClaw: plugin-shell shell-injection bypass via substring blocklist
CVSS 8.4
CVE-2026-45006 HIGH
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway Tool Denylist Bypass
CVSS 8.8
CVE-2026-44993 MEDIUM
OpenClaw < 2026.4.20 - Direct Message Misclassification in Feishu Card Actions
CVSS 5.4
CVE-2026-44115 HIGH
OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist
CVSS 8.8
CVE-2026-44114 HIGH
OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv
CVSS 7.8
CVE-2026-43584 HIGH
OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy
CVSS 8.8
CVE-2026-43578 CRITICAL
OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade
CVSS 9.1
CVE-2026-41934 HIGH
Vvveb < 1.0.8.2 Authenticated RCE via Code Editor
CVSS 8.8
CVE-2026-43566 CRITICAL
OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
CVSS 9.1
CVE-2026-43532 HIGH
OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image
CVSS 7.7
CVE-2026-42435 HIGH
OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection
CVSS 8.8
CVE-2026-42427 MEDIUM
OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection
CVSS 5.3
CVE-2026-41915 MEDIUM
OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment
CVSS 5.3
CVE-2026-41392 MEDIUM
OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options
CVSS 6.7
CVE-2026-41391 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling
CVSS 5.3
CVE-2026-31952 HIGH
Xibo CMS API has SQL Injection via DataSet Filter Parameter
CVSS 7.6
Details
Vulnerabilities 122
Links
MITRE CWE Entry Search this CWE With Exploits