CWE-20: Improper Input Validation — known CVE vulnerabilities
CVEs classified under CWE-20 (Improper Input Validation), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-48316 — CVSS 10.0 (critical): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary…
CVE-2026-48281 — CVSS 10.0 (critical): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary…
CVE-2026-48277 — CVSS 10.0 (critical): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary…
CVE-2026-48055 — CVSS 10.0 (critical): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity…
CVE-2026-33587 — CVSS 10.0 (critical): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands)…
CVE-2026-0848 — CVSS 10.0 (critical): NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The…
CVE-2026-21858 — CVSS 10.0 (critical): n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on…
CVE-2025-34300: A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl…
CVE-2025-34105: A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and…
CVE-2025-34060: A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted…
CVE-2025-34043: A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in…
CVE-2025-23202: Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. The `FetchVerse` and…
CVE-2023-41917 — CVSS 10.0 (critical): Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by…
CVE-2024-22476 — CVSS 10.0 (critical): Improper input validation in some Intel(R) Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially…
CVE-2023-51438 — CVSS 10.0 (critical): A vulnerability has been identified in SIMATIC IPC1047E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows), SIMATIC…
CVE-2023-7163 — CVSS 10.0 (critical): A security issue exists in D-Link D-View 8 v2.0.2.89 and prior that could allow an attacker to manipulate the probe inventory of the D-View…
CVE-2023-45128 — CVSS 10.0 (critical): Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the…
CVE-2023-28100 — CVSS 10.0 (critical): Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8…
CVE-2021-21322 — CVSS 10.0 (critical): fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a…
CVE-2021-21321 — CVSS 10.0 (critical): fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from…
CVE-2020-13753 — CVSS 10.0 (critical): The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI…
CVE-2020-12389 — CVSS 10.0 (critical): The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only…
CVE-2020-12388 — CVSS 10.0 (critical): The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only…
CVE-2020-6963 — CVSS 10.0 (critical): In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X…
CVE-2020-6962 — CVSS 10.0 (critical): In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions…
CVE-2017-16845 — CVSS 10.0 (critical): hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
CVE-2017-10918 — CVSS 10.0 (critical): Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host…
CVE-2017-7213 — CVSS 10.0 (critical): Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via…
CVE-2017-5226 — CVSS 10.0 (critical): When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to…
CVE-2015-8747 — CVSS 10.0 (critical): The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted…
CVE-2015-7828 — CVSS 10.0 (critical): SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have…
CVE-2014-8873 — CVSS 10.0 (critical): A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 includes a MIME type registration that is added to /etc/mailcap by…
CVE-2015-7838 — CVSS 10.0 (critical): ProcessFileUpload.jsp in SolarWinds Storage Manager before 6.2 allows remote attackers to upload and execute arbitrary files via…
CVE-2015-5780 — CVSS 10.0 (critical): The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension…
CVE-2015-6598 — CVSS 10.0 (critical): libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory…
CVE-2015-5568 — CVSS 10.0 (critical): Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before…
CVE-2015-0850 — CVSS 10.0 (critical): The Git plugin for FusionForge before 6.0rc4 allows remote attackers to execute arbitrary code via an unspecified parameter when creating a…
CVE-2015-0701 — CVSS 10.0 (critical): Cisco UCS Central Software before 1.3(1a) allows remote attackers to execute arbitrary commands via a crafted HTTP request, aka Bug ID…
CVE-2015-1132 — CVSS 10.0 (critical): fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different…
CVE-2014-8836 — CVSS 10.0 (critical): The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of…
CVE-2014-8824 — CVSS 10.0 (critical): The kernel in Apple OS X before 10.10.2 does not properly validate IODataQueue object metadata fields, which allows attackers to execute…
CVE-2015-0301 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe…
CVE-2014-9371 — CVSS 10.0 (critical): The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON…
CVE-2014-3306 — CVSS 10.0 (critical): The web server on Cisco DPC3010, DPC3212, DPC3825, DPC3925, DPQ3925, EPC3010, EPC3212, EPC3825, and EPC3925 Wireless Residential Gateway…
CVE-2014-1318 — CVSS 10.0 (critical): The Intel Graphics Driver in Apple OS X through 10.9.2 does not properly validate a certain pointer, which allows attackers to execute…