CWE-180
11 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-180page 1 of 1
- CVE-2022-26136CRITICALCVSS 9.8EG 9.82022-07-20
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. …
- CVE-2022-26137HIGHCVSS 8.8EG 8.82022-07-20
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only kno…
- CVE-2024-28607LOWCVSS 2.9EG 2.92025-03-11
The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value.
- CVE-2025-29787HIGHCVSS 7.3EG 0.02025-03-17
`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlie…
- CVE-2025-33194MEDIUMCVSS 5.7EG 5.72025-11-25
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. A successful exploit of this vulnerability might lead to information disclosure or denial of service.
- CVE-2025-43716MEDIUMCVSS 5.8EG 5.82025-04-23
A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. By appending %3F.php to the URI of the /client/index.php endpoint, an attacker can bypass access controls and gain unauthorized access to vari…
- CVE-2026-24895CRITICALCVSS 9.8EG 9.82026-02-12
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased…
- CVE-2026-34786MEDIUMCVSS 5.3EG 5.32026-04-02
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is d…
- CVE-2026-39364HIGHCVSS 7.5EG 7.52026-04-07
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query param…
- CVE-2026-39409MEDIUMCVSS 5.3EG 5.32026-04-08
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rule…
- CVE-2026-45022HIGHCVSS 7.0EG 7.02026-05-27
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malfo…
Map vulnerabilities like CWE-180 to your infrastructure
EchelonGraph correlates every CVE — across CWE-180 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →