CWE-807
65 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-807page 1 of 2
- CVE-2019-25711MEDIUMCVSS 6.2EG 6.22026-04-12
SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payloa…
- CVE-2020-5252MEDIUMCVSS 5.0EG 5.02020-03-23
The command-line "safety" package for Python has a potential security issue. There are two Python characteristics that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, …
- CVE-2021-29479HIGHCVSS 7.0EG 7.02021-06-29
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-…
- CVE-2021-31999HIGHCVSS 8.8EG 8.82021-07-15
A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Group" headers. This issue affects: Rancher …
- CVE-2021-36777HIGHCVSS 8.1EG 8.82022-03-09
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker sp…
- CVE-2021-41129HIGHCVSS 8.1EG 8.12021-10-06
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value no…
- CVE-2022-20744MEDIUMCVSS 6.5EG 6.52022-05-03
A vulnerability in the input protection mechanisms of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view data without proper authorization. This vulnerability exists because of a protecti…
- CVE-2022-24400HIGHCVSS 7.5EG 7.52023-10-19
A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero.
- CVE-2023-0009HIGHCVSS 7.8EG 6.72023-06-14
A local privilege escalation (PE) vulnerability in the Palo Alto Networks GlobalProtect app on Windows enables a local user to execute programs with elevated privileges.
- CVE-2023-45128CRITICALCVSS 10.0EG 10.02023-10-16
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf …
- CVE-2023-46686MEDIUMCVSS 5.5EG 5.52023-12-18
A reliance on untrusted inputs in a security decision could be exploited by a privileged user to configure the Gallagher Command Centre Diagnostics Service to use less secure communication protocols. This issue affects: Gallagher Diagn…
- CVE-2024-11146MEDIUMCVSS 6.3EG 7.32025-01-17
TrueFiling is a collaborative, web-based electronic filing system where attorneys, paralegals, court reporters and self-represented filers collect public legal documentation into cases. TrueFiling is an entirely cloud-hosted application. P…
- CVE-2024-13974HIGHCVSS 8.1EG 8.12025-07-21
A business logic vulnerability in the Up2Date component of Sophos Firewall older than version 21.0 MR1 (20.0.1) can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution.
- CVE-2024-21510MEDIUMCVSS 5.4EG 5.42024-11-01
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an O…
- CVE-2024-28824HIGHCVSS 8.8EG 8.82024-03-22
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-28829HIGHCVSS 7.8EG 7.82024-08-20
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-29039CRITICALCVSS 9.0EG 9.02024-06-28
tpm2 is the source repository for the Trusted Platform Module (TPM2.0) tools. This vulnerability allows attackers to manipulate tpm2_checkquote outputs by altering the TPML_PCR_SELECTION in the PCR input file. As a result, digest values a…
- CVE-2024-45654MEDIUMCVSS 4.3EG 4.32025-01-19
IBM Security ReaQta 3.12 could allow an authenticated user to perform unauthorized actions due to reliance on untrusted inputs.
- CVE-2024-47254MEDIUMCVSS 6.3EG 6.32024-11-05
In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.
- CVE-2024-51561HIGHCVSS 7.5EG 7.52024-11-04
This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchang…
- CVE-2024-52327MEDIUMCVSS 6.5EG 6.52025-01-23
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
- CVE-2024-55354HIGHCVSS 8.8EG 8.82025-04-08
Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be expected to be blocked and access resources th…
- CVE-2024-5754HIGHCVSS 8.2EG 8.22024-09-13
BT: Encryption procedure host vulnerability
- CVE-2024-7005MEDIUMCVSS 4.3EG 8.82024-08-06
Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious fil…
- CVE-2024-9310MEDIUMCVSS 6.0EG 0.02025-01-22
By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially t…
- CVE-2025-0117HIGHCVSS 7.1EG 0.02025-03-12
A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. GlobalProte…
- CVE-2025-10161HIGHCVSS 7.3EG 7.32025-11-11
Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute F…
- CVE-2025-1126CRITICALCVSS 9.3EG 9.32025-02-11
A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management Client.
- CVE-2025-11271MEDIUMCVSS 5.3EG 5.32025-11-06
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes ve…
- CVE-2025-12487CRITICALCVSS 9.8EG 9.82025-11-06
oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation…
- CVE-2025-12488CRITICALCVSS 9.8EG 9.82025-11-06
oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation…
- CVE-2025-13926CRITICALCVSS 9.8EG 9.82026-04-09
An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T.
- CVE-2025-1969MEDIUMCVSS 4.3EG 4.32025-03-04
Improper request input validation in Temporary Elevated Access Management (TEAM) for AWS IAM Identity Center allows a user to modify a valid request and spoof an approval in TEAM. Upgrade TEAM to the latest release v.1.2.2. Follow instruc…
- CVE-2025-24369LOWCVSS 2.3EG 0.02025-01-27
Anubis is a tool that allows administrators to protect bots against AI scrapers through bot-checking heuristics and a proof-of-work challenge to discourage scraping from multiple IP addresses. Anubis allows attackers to bypass the bot prot…
- CVE-2025-49827CRITICALCVSS 9.8EG 9.82025-07-15
Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to b…
- CVE-2025-53717HIGHCVSS 7.0EG 7.02025-10-14
Reliance on untrusted inputs in a security decision in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally.
- CVE-2025-53882MEDIUMCVSS 4.4EG 9.12025-07-23
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSE mailman3 package allows the mailman user to sent SIGHUP to arbitrary processes. This issue affects openSUSE Tumbleweed: from ?…
- CVE-2025-55735MEDIUMCVSS 5.4EG 5.42025-08-19
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post u…
- CVE-2025-55736MEDIUMCVSS 6.5EG 6.52025-08-19
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
- CVE-2025-59152HIGHCVSS 7.5EG 7.52025-10-06
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined…
- CVE-2025-65328MEDIUMCVSS 6.5EG 6.52026-01-05
Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof …
- CVE-2025-66507HIGHCVSS 7.5EG 7.52025-12-09
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previou…
- CVE-2025-66570CRITICALCVSS 10.0EG 10.02025-12-05
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attac…
- CVE-2025-66577MEDIUMCVSS 5.3EG 5.32025-12-05
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attac…
- CVE-2026-0390MEDIUMCVSS 6.7EG 6.72026-04-14
Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
- CVE-2026-1789MEDIUMCVSS 4.9EG 4.92026-04-24
A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers and office/small office multifunction pri…
- CVE-2026-20849HIGHCVSS 7.5EG 7.52026-01-13
Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
- CVE-2026-21509HIGHCVSS 7.8EG 9.0⚠ KEV2026-01-26
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-21514HIGHCVSS 7.8EG 9.0⚠ KEV2026-02-10
Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-23848MEDIUMCVSS 6.5EG 6.52026-01-19
MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general AP…
Map vulnerabilities like CWE-807 to your infrastructure
EchelonGraph correlates every CVE — across CWE-807 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →