CWE-20(Improper Input Validation)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| 類型 | 名稱 | 類 | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Often | — |
| technology | AI/ML | — | Often | — |
下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。
| CVE | 公開時間 | 摘要 |
|---|---|---|
| CVE-2024-23577 | 2026-07-17 | HCL Aftermarket EPC is vulnerable since the application does not have a validation for HOST header and accepts arbitrary hosts when requested in http protocol. When an application doesn’t adequately v… |
| CVE-2026-53412 | 2026-07-16 | Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via network… |
| CVE-2026-53411 | 2026-07-16 | A time-of-check to time-of-use (TOCTOU) race condition in the installation and uninstallation process of certain Zoom Clients for Windows could allow an authenticated local user to escalate privileges… |
| CVE-2026-44180 | 2026-07-16 | Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. Versions 2.0.0rc1 and above prior to 3.3.0 have a prohi… |
| CVE-2026-53409 | 2026-07-16 | Improper Privilege Management in Zoom Rooms for Windows before version 7.1.0 may allow an authenticated user to conduct an escalation of privilege via local access. |
| CVE-2026-33692 | 2026-07-16 | WWBN AVideo is an open source video platform. Versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mount… |
| CVE-2026-54728 | 2026-07-16 | bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API imprope… |
| CVE-2026-46341 | 2026-07-16 | The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool … |
| CVE-2026-50012 | 2026-07-16 | Squid is a caching proxy for the Web. Prior to 7.6, due to an improper input validation bug in cache digest reply handling (peerDigestSwapInMask in src/peer_digest.cc), Squid is vulnerable to a heap-b… |
| CVE-2026-11386 | 2026-07-16 | An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-… |
| CVE-2026-56678 | 2026-07-15 | 9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authen… |
| CVE-2026-50144 | 2026-07-15 | ncnn is a high-performance neural network inference framework optimized for the mobile platform. In commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier, ncnn allows an out-of-bounds heap write… |
| CVE-2026-40958 | 2026-07-15 | CVE-2026-40958 is a input validation error in Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS agai… |
| CVE-2026-53513 | 2026-07-15 | Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-con… |
| CVE-2026-14961 | 2026-07-15 | Pegatron `Tdelo64.sys` exposes a privileged device interface, `\\.\TdeIo`, that fails to properly restrict access to sensitive IOCTL functionality. The driver's IOCTL dispatcher does not validate call… |
| CVE-2026-59955 | 2026-07-15 | Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to raw configurati… |
| CVE-2026-59954 | 2026-07-15 | Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to configuration d… |
| CVE-2026-20153 | 2026-07-15 | As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a sof… |
| CVE-2026-61427 | 2026-07-15 | PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks whe… |
| CVE-2026-56398 | 2026-07-15 | Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-… |
| 日期 | 名稱 | 版本 | 重要性 | 評論 |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-08-15 | — | 1.0 | — | Suggested OWASP Top Ten 2004 mapping |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes, Taxonomy_Mappings |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Relationships, Taxonomy_Mappings |
| 2009-01-12 | CWE Content Team | 1.2 | — | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Description, Potential_Mitigations |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Related_Attack_Patterns |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Relationships |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Relationships, Research_Gaps, Terminology_Notes |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Related_Attack_Patterns |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Potential_Mitigations, Research_Gaps, Terminology_Notes |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Potential_Mitigations, Relationships |
| 2010-12-13 | CWE Content Team | 1.11 | — | updated Demonstrative_Examples, Description |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Observed_Examples |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Applicable_Platforms, Common_Consequences, Relationship_Notes |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Relationships |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated Relationships |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Demonstrative_Examples, Related_Attack_Patterns |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Detection_Factors, Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Related_Attack_Patterns, Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Related_Attack_Patterns, Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated References |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns, Relationships |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns, Relationships |
| 2019-09-19 | CWE Content Team | 3.4 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Potential_Mitigations, Related_Attack_Patterns, Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Description, Potential_Mitigations |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Related_Attack_Patterns, Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Relationships |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Observed_Examples, Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated References, Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2024-07-16 | CWE Content Team | 4.15 | — | updated Observed_Examples |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Relationships |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Common_Consequences, Description, Diagram, Mapping_Notes, Potential_Mitigations, Relationship_Notes, Terminology_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Detection_Factors, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Applicable_Platforms, Mapping_Notes |
| 類型 | 名稱 | 日期 | 評論 |
|---|---|---|---|
| Content | Abhi Balakrishnan | 2024-02-29 | Contributed usability diagram concepts used by the CWE team. |