CWE-20

High likelihood

Improper Input Validation

Parent: CWE-707 - Improper Neutralization

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

12,423 vulnerabilities with CWE-20
CVE-2026-12191 HIGH
Comma AI Openpilot Pickle modeld.py pickle.loads deserialization
CVSS 7.8
CVE-2026-45013 HIGH
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
CVSS 8.1
CVE-2026-54133 CRITICAL
jmespath.php has CompilerRuntime code injection via unescaped function names
CVSS 9.8
CVE-2026-47196 HIGH
Quest Bot: Empty automod rule causes every guild message to be deleted
CVE-2026-50633 HIGH
Apache CXF JCA Integration - JNDI Injection Remote Code Execution
CVSS 8.1
CVE-2026-50632 HIGH
Apache CXF JMSConfigFactory - JNDI Injection Remote Code Execution
CVSS 8.1
CVE-2026-50628 CRITICAL
Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
CVSS 9.8
CVE-2026-47370 CRITICAL
Ubiquiti INC UniFi OS Server - Improper Input Validation
CVSS 9.9
CVE-2026-47369 CRITICAL
Ubiquiti INC UniFi OS Server - Improper Input Validation
CVSS 9.9
CVE-2026-47367 CRITICAL
Ubiquiti INC Uid Enterprise Agent < 1.61.4 - Improper Input Validation
CVSS 9.9
CVE-2026-12034 HIGH
Google Chrome - Improper Input Validation
CVSS 8.3
CVE-2026-12025 MEDIUM
Google Chrome - Improper Input Validation
CVSS 5.3
CVE-2026-12017 LOW
Google Chrome - Improper Input Validation
CVSS 3.1
CVE-2026-12016 HIGH
Google Chrome - Improper Input Validation
CVSS 8.3
CVE-2026-12009 HIGH
Google Chrome - Improper Input Validation
CVSS 8.3
CVE-2026-47181 HIGH
PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover
CVE-2026-49982 HIGH
node-tmp 0.2.6 - Path Traversal via Non-String Template Values
CVSS 8.2
CVE-2026-53723 MEDIUM
guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator
CVSS 5.8
CVE-2026-49214 MEDIUM
guzzlehttp/psr7 has CRLF Injection via URI Host Component
CVSS 5.3
CVE-2026-48998 MEDIUM
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
CVSS 5.3
CVE-2026-53901 HIGH
Cerebrate before v1.37 allows mass assignment of record identifiers during object creation
CVE-2026-49218 HIGH
ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions
CVSS 7.5
CVE-2026-48110 HIGH
Russh: SSH message fields were decoded through allocation-first parsers before field-specific bounds
CVSS 7.5
CVE-2026-48108 MEDIUM
Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input
CVSS 5.3
CVE-2026-48107 MEDIUM
Russh: Unchecked keyboard-interactive prompt count in client auth path
CVSS 6.5
Details
Vulnerabilities 12,423
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits