CWE-20 12695 個 CVE MITRE 定義 ↗

CWE-20:Improper Input Validation

概覽

CWE-20(Improper Input Validation)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Often
technology AI/ML Often

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2024-23577 2026-07-17 HCL Aftermarket EPC is vulnerable since the application does not have a validation for HOST header and accepts arbitrary hosts when requested in http protocol. When an application doesn’t adequately v…
CVE-2026-53412 2026-07-16 Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via network…
CVE-2026-53411 2026-07-16 A time-of-check to time-of-use (TOCTOU) race condition in the installation and uninstallation process of certain Zoom Clients for Windows could allow an authenticated local user to escalate privileges…
CVE-2026-44180 2026-07-16 Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. Versions 2.0.0rc1 and above prior to 3.3.0 have a prohi…
CVE-2026-53409 2026-07-16 Improper Privilege Management in Zoom Rooms for Windows before version 7.1.0 may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2026-33692 2026-07-16 WWBN AVideo is an open source video platform. Versions prior to 29.0 expose .env files to unauthenticated users through the official Docker compose configuration. The official docker-compose.yml mount…
CVE-2026-54728 2026-07-16 bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API imprope…
CVE-2026-46341 2026-07-16 The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool …
CVE-2026-50012 2026-07-16 Squid is a caching proxy for the Web. Prior to 7.6, due to an improper input validation bug in cache digest reply handling (peerDigestSwapInMask in src/peer_digest.cc), Squid is vulnerable to a heap-b…
CVE-2026-11386 2026-07-16 An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-…
CVE-2026-56678 2026-07-15 9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authen…
CVE-2026-50144 2026-07-15 ncnn is a high-performance neural network inference framework optimized for the mobile platform. In commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier, ncnn allows an out-of-bounds heap write…
CVE-2026-40958 2026-07-15 CVE-2026-40958 is a input validation error in Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS agai…
CVE-2026-53513 2026-07-15 Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-con…
CVE-2026-14961 2026-07-15 Pegatron `Tdelo64.sys` exposes a privileged device interface, `\\.\TdeIo`, that fails to properly restrict access to sensitive IOCTL functionality. The driver's IOCTL dispatcher does not validate call…
CVE-2026-59955 2026-07-15 Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to raw configurati…
CVE-2026-59954 2026-07-15 Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to configuration d…
CVE-2026-20153 2026-07-15 As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a sof…
CVE-2026-61427 2026-07-15 PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks whe…
CVE-2026-56398 2026-07-15 Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-…

曾用名

  • Insufficient Input Validation (2009-01-12)

內容提交

名稱
7 Pernicious Kingdoms
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Relationships, Other_Notes, Taxonomy_Mappings
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships
2009-03-10 CWE Content Team 1.3 updated Description, Potential_Mitigations
2009-05-27 CWE Content Team 1.4 updated Related_Attack_Patterns
2009-07-27 CWE Content Team 1.5 updated Relationships
2009-10-29 CWE Content Team 1.6 updated Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Relationships, Research_Gaps, Terminology_Notes
2009-12-28 CWE Content Team 1.7 updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors
2010-02-16 CWE Content Team 1.8 updated Detection_Factors, Potential_Mitigations, References, Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Potential_Mitigations, Research_Gaps, Terminology_Notes
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations, Relationships
2010-12-13 CWE Content Team 1.11 updated Demonstrative_Examples, Description
2011-03-29 CWE Content Team 1.12 updated Observed_Examples
2011-06-01 CWE Content Team 1.13 updated Applicable_Platforms, Common_Consequences, Relationship_Notes
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-02-21 CWE Content Team 2.4 updated Relationships
2013-07-17 CWE Content Team 2.5 updated Relationships
2014-02-18 CWE Content Team 2.6 updated Demonstrative_Examples, Related_Attack_Patterns
2014-07-30 CWE Content Team 2.8 updated Detection_Factors, Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Related_Attack_Patterns, Relationships
2017-05-03 CWE Content Team 2.11 updated Related_Attack_Patterns, Relationships
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
2018-03-27 CWE Content Team 3.1 updated References
2019-01-03 CWE Content Team 3.2 updated Related_Attack_Patterns, Relationships
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships
2020-06-25 CWE Content Team 4.1 updated Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes
2020-08-20 CWE Content Team 4.2 updated Potential_Mitigations, Related_Attack_Patterns, Relationships
2021-03-15 CWE Content Team 4.4 updated Description, Potential_Mitigations
2021-07-20 CWE Content Team 4.5 updated Related_Attack_Patterns, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-04-28 CWE Content Team 4.7 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated References, Relationships
2023-04-27 CWE Content Team 4.11 updated References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2024-07-16 CWE Content Team 4.15 updated Observed_Examples
2024-11-19 CWE Content Team 4.16 updated Relationships
2025-04-03 CWE Content Team 4.17 updated Common_Consequences, Description, Diagram, Mapping_Notes, Potential_Mitigations, Relationship_Notes, Terminology_Notes
2025-09-09 CWE Content Team 4.18 updated Detection_Factors, References
2025-12-11 CWE Content Team 4.19 updated Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Applicable_Platforms, Mapping_Notes

貢獻

類型 名稱 日期 評論
Content Abhi Balakrishnan 2024-02-29 Contributed usability diagram concepts used by the CWE team.
cvelogic Threat Intelligence