CWE-1286— Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.— MITRE CWE catalog
84 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1286page 2 of 2
- CVE-2025-25007MEDIUMCVSS 5.3EG 5.32025-08-12
Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- CVE-2025-30415HIGHCVSS 7.5EG 7.52025-06-04
Denial of service due to improper handling of malformed input. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40077, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build…
- CVE-2025-36262MEDIUMCVSS 4.9EG 4.92025-09-30
IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 could allow a malicious privileged user to bypass the UI to gain unauthorized access to sensitive information due to the improper validation of input.
- CVE-2025-41719HIGHCVSS 8.8EG 8.82025-10-22
A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator…
- CVE-2025-43878MEDIUMCVSS 6.0EG 6.02025-05-07
When running in Appliance mode, an authenticated attacker assigned the Administrator or Resource Administrator role may be able to bypass Appliance mode restrictions utilizing system diagnostics tcpdump command utility on a F5OS-C/A system…
- CVE-2025-46419MEDIUMCVSS 5.9EG 5.92025-04-24
Westermo WeOS 5 through 5.23.0 allows a reboot via a malformed ESP packet.
- CVE-2025-54995MEDIUMCVSS 6.5EG 6.52025-08-28
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resourc…
- CVE-2025-55085HIGHCVSS 7.5EG 7.52025-10-17
In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.
- CVE-2025-67492MEDIUMCVSS 5.3EG 5.32025-12-16
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks compl…
- CVE-2025-8873HIGHCVSS 7.5EG 7.52026-06-04
On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing…
- CVE-2026-0663MEDIUMCVSS 4.9EG 4.92026-01-21
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
- CVE-2026-0983HIGHCVSS 7.1EG 7.12026-05-18
Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
- CVE-2026-10099MEDIUMCVSS 4.0EG 4.02026-05-29
XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unc…
- CVE-2026-21527MEDIUMCVSS 6.5EG 6.52026-02-10
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-21917HIGHCVSS 7.5EG 7.52026-01-15
An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX …
- CVE-2026-24087HIGHCVSS 7.2EG 7.22026-06-01
Memory corruption while processing fastboot OEM commands.
- CVE-2026-24089HIGHCVSS 7.2EG 7.22026-06-01
Memory corruption while processing fastboot commands with invalid input.
- CVE-2026-24091HIGHCVSS 7.2EG 7.22026-06-01
Memory corruption while processing fastboot commands with improperly formatted input.
- CVE-2026-24092HIGHCVSS 7.2EG 7.22026-06-01
Memory Corruption when processing fastboot commands to set display mode.
- CVE-2026-25513HIGHCVSS 8.8EG 8.82026-02-04
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arb…
- CVE-2026-25679HIGHCVSS 7.5EG 7.52026-03-06
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- CVE-2026-27889HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic i…
- CVE-2026-33218HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed messag…
- CVE-2026-33778HIGHCVSS 7.5EG 7.52026-04-09
An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complet…
- CVE-2026-34835MEDIUMCVSS 4.8EG 4.82026-04-02
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-com…
- CVE-2026-40198HIGHCVSS 7.5EG 7.52026-04-10
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2…
- CVE-2026-42579CRITICALCVSS 9.1EG 7.52026-05-13
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirecti…
- CVE-2026-48059HIGHCVSS 7.5EG 7.52026-06-11
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a…
- CVE-2026-50131HIGHCVSS 8.6EG 8.62026-06-10
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fet…
- CVE-2026-55767MEDIUMCVSS 5.8EG 5.82026-06-19
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normal…
- CVE-2026-57026HIGHCVSS 7.5EG 7.52026-07-09
An Improper Validation of Syntactic Correctness of Input vulnerability in the SIP plugin of Juniper Networks Junos OS on MX Series with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS…
- CVE-2026-6442HIGHCVSS 8.3EG 8.32026-04-16
Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox. An attacker could exploit this by embedding specially crafted commands in untrusted cont…
- CVE-2026-6918HIGHCVSS 7.5EG 7.52026-05-05
In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.
- CVE-2026-7307HIGHCVSS 7.5EG 7.52026-05-19
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, …
Map vulnerabilities like CWE-1286 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1286 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →