CWE-1289— Improper Validation of Unsafe Equivalence in Input
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.— MITRE CWE catalog
27 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1289page 1 of 1
- CVE-2022-0675MEDIUMCVSS 5.6EG 9.82022-03-02
In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the syst…
- CVE-2024-12224HIGHCVSS 8.8EG 8.82025-05-30
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as…
- CVE-2024-42218MEDIUMCVSS 4.7EG 6.32024-08-06
1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms.
- CVE-2024-42219HIGHCVSS 7.8EG 7.02024-08-06
1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient.
- CVE-2024-45179HIGHCVSS 7.2EG 7.22024-10-09
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality…
- CVE-2024-45308MEDIUMCVSS 6.5EG 6.52024-09-02
HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can t…
- CVE-2024-8372MEDIUMCVSS 4.8EG 4.82024-09-09
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoof…
- CVE-2025-62718CRITICALCVSS 9.9EG 9.92026-04-09
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trail…
- CVE-2026-1094MEDIUMCVSS 4.6EG 4.62026-02-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
- CVE-2026-22569MEDIUMCVSS 5.4EG 5.42026-03-31
An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows may cause a limited amount of traffic from being inspected under rare circumstances.
- CVE-2026-27610MEDIUMCVSS 5.3EG 5.32026-02-25
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-t…
- CVE-2026-33806HIGHCVSS 7.5EG 7.52026-04-15
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation i…
- CVE-2026-33810HIGHCVSS 7.5EG 7.52026-04-08
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted cert…
- CVE-2026-34080MEDIUMCVSS 5.5EG 5.52026-04-07
xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (wi…
- CVE-2026-35039CRITICALCVSS 9.1EG 9.12026-04-06
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cau…
- CVE-2026-39821CRITICALCVSS 9.6EG 10.02026-05-22
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior ca…
- CVE-2026-39972HIGHCVSS 7.1EG 7.12026-04-09
Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cach…
- CVE-2026-41213MEDIUMCVSS 5.9EG 5.92026-04-23
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers ar…
- CVE-2026-41239MEDIUMCVSS 6.8EG 6.82026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but n…
- CVE-2026-42462HIGHCVSS 7.0EG 7.02026-05-26
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that wou…
- CVE-2026-45190MEDIUMCVSS 6.5EG 6.52026-05-10
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then r…
- CVE-2026-45191MEDIUMCVSS 6.5EG 6.52026-05-10
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their …
- CVE-2026-47674MEDIUMCVSS 5.3EG 5.32026-05-28
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string…
- CVE-2026-48710MEDIUMCVSS 6.5EG 6.52026-05-26
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `re…
- CVE-2026-49940MEDIUMCVSS 6.5EG 6.52026-06-04
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept lar…
- CVE-2026-49942HIGHCVSS 7.3EG 7.32026-06-04
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow net…
- CVE-2026-50090MEDIUMCVSS 6.1EG 9.32026-06-12
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Inp…
Map vulnerabilities like CWE-1289 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1289 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →