Skip to main content

CWE-1287

Improper Validation of Specified Type of Input

70 CVEs Avg CVSS 6.5 MITRE
3
CRITICAL
29
HIGH
33
MEDIUM
5
LOW
5
POC
0
KEV

Monthly

CVE-2026-54235 PyPI MEDIUM PATCH GHSA This Month

Temperature parameter validation in vLLM (pip/vllm ≤ 0.23.0) can be bypassed by supplying NaN or positive Infinity as the temperature value, because Python's IEEE 754 float comparison operators silently return False for these inputs, allowing the values to propagate unchecked into GPU CUDA sampling kernels. The invalid inputs trigger undefined behavior or fatal CUDA errors that crash the inference worker process, dropping all in-flight requests and degrading service for every concurrent user sharing that worker. No public exploit has been identified at time of analysis, though the trigger condition is fully disclosed in the published GHSA-7h4p-rffg-7823 advisory and is trivially reproducible from that description alone.

Denial Of Service Python Red Hat
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-10825 HIGH This Week

Denial-of-service in Moxa NPort 6000-G2 Series serial device servers allows a low-privileged authenticated attacker to disrupt service and potentially trigger an unexpected device reboot via specially crafted JSON requests to the WebSocket API. The CVSS 4.0 base score of 7.1 reflects high availability impact with no confidentiality or integrity loss. Per current intelligence, there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Nport 6000 G2 Series
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-9753 HIGH PATCH This Week

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privileges to crash the database or read out-of-bounds memory by submitting a malformed binary diff through the $_internalApplyOplogUpdate aggregation pipeline stage. The flaw stems from inadequate validation of the binary diff document structure consumed by an internal oplog replay operator that is unexpectedly reachable from user-facing aggregation queries. No public exploit identified at time of analysis, but the low privilege bar and network attack vector make this a meaningful threat in multi-tenant or shared-credential MongoDB deployments.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-9742 HIGH PATCH This Week

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database process by submitting a crafted 'mechanism' value to the 'authenticate' command when OIDC authentication is configured. The flaw carries a CVSS 4.0 base score of 8.2 driven by network reachability, no privileges required, and high availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Mongodb Server
NVD VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-11460 LOW POC Monitor

Improper input type validation in Boost Serialization versions up to 1.91 allows remote attackers to send maliciously crafted serialized data that triggers limited compromise of confidentiality, integrity, and availability. Publicly available exploit code exists (published as a GitHub gist by researcher TrebledJ), and the maintainer has indefinitely postponed a fix after the 90-day disclosure deadline expired, leaving downstream C++ applications using Boost Serialization unpatched. No active exploitation has been confirmed via CISA KEV.

Information Disclosure Serialization
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-49941 HIGH PATCH This Week

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trigger indefinite recursion by submitting malformed IP address strings to the add() method. The flaw stems from missing input validation when parsing addresses, causing the parser to re-enter itself without a termination condition. No public exploit identified at time of analysis, but the issue is trivially reproducible and a fixed version 0.21 has been released on CPAN.

Denial Of Service Net
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40851 HIGH This Week

Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.

RCE
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-9521 LOW POC PATCH Monitor

Improper type validation in fraillt bitsery's smart pointer deserialization extension exposes applications that process attacker-controlled serialized data to partial confidentiality, integrity, and availability compromise. The vulnerable function loadFromSharedState in include/bitsery/ext/std_smart_ptr.h fails to validate polymorphic type identity before performing reinterpret_cast operations, allowing a remote unauthenticated attacker to supply crafted serialized input that triggers unsafe memory access. A publicly available proof-of-concept exploit exists (GitHub gist), though EPSS remains very low at 0.07% (21st percentile) and this CVE is not listed in CISA KEV, suggesting no observed widespread exploitation at time of analysis.

Information Disclosure Bitsery
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-4646 Go MEDIUM PATCH This Month

Authenticated denial-of-service in Mattermost's plugin subsystem allows a low-privileged user to crash the plugin process by sending a crafted HTTP request to the PR details API endpoint. Affected across four active release branches (10.11.x, 11.4.x, 11.5.x, 11.6.x), the flaw stems from missing input validation in API request handlers (CWE-1287). No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the low authentication barrier (any valid account) combined with network accessibility makes it a realistic insider or post-compromise nuisance risk.

Denial Of Service Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7887 PHP LOW PATCH Monitor

OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.

Authentication Bypass Concrete Cms
NVD
CVSS 4.0
2.3
EPSS
0.1%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Temperature parameter validation in vLLM (pip/vllm ≤ 0.23.0) can be bypassed by supplying NaN or positive Infinity as the temperature value, because Python's IEEE 754 float comparison operators silently return False for these inputs, allowing the values to propagate unchecked into GPU CUDA sampling kernels. The invalid inputs trigger undefined behavior or fatal CUDA errors that crash the inference worker process, dropping all in-flight requests and degrading service for every concurrent user sharing that worker. No public exploit has been identified at time of analysis, though the trigger condition is fully disclosed in the published GHSA-7h4p-rffg-7823 advisory and is trivially reproducible from that description alone.

Denial Of Service Python Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Denial-of-service in Moxa NPort 6000-G2 Series serial device servers allows a low-privileged authenticated attacker to disrupt service and potentially trigger an unexpected device reboot via specially crafted JSON requests to the WebSocket API. The CVSS 4.0 base score of 7.1 reflects high availability impact with no confidentiality or integrity loss. Per current intelligence, there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Nport 6000 G2 Series
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privileges to crash the database or read out-of-bounds memory by submitting a malformed binary diff through the $_internalApplyOplogUpdate aggregation pipeline stage. The flaw stems from inadequate validation of the binary diff document structure consumed by an internal oplog replay operator that is unexpectedly reachable from user-facing aggregation queries. No public exploit identified at time of analysis, but the low privilege bar and network attack vector make this a meaningful threat in multi-tenant or shared-credential MongoDB deployments.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database process by submitting a crafted 'mechanism' value to the 'authenticate' command when OIDC authentication is configured. The flaw carries a CVSS 4.0 base score of 8.2 driven by network reachability, no privileges required, and high availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Mongodb Server
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper input type validation in Boost Serialization versions up to 1.91 allows remote attackers to send maliciously crafted serialized data that triggers limited compromise of confidentiality, integrity, and availability. Publicly available exploit code exists (published as a GitHub gist by researcher TrebledJ), and the maintainer has indefinitely postponed a fix after the 90-day disclosure deadline expired, leaving downstream C++ applications using Boost Serialization unpatched. No active exploitation has been confirmed via CISA KEV.

Information Disclosure Serialization
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trigger indefinite recursion by submitting malformed IP address strings to the add() method. The flaw stems from missing input validation when parsing addresses, causing the parser to re-enter itself without a termination condition. No public exploit identified at time of analysis, but the issue is trivially reproducible and a fixed version 0.21 has been released on CPAN.

Denial Of Service Net
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.

RCE
NVD
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Improper type validation in fraillt bitsery's smart pointer deserialization extension exposes applications that process attacker-controlled serialized data to partial confidentiality, integrity, and availability compromise. The vulnerable function loadFromSharedState in include/bitsery/ext/std_smart_ptr.h fails to validate polymorphic type identity before performing reinterpret_cast operations, allowing a remote unauthenticated attacker to supply crafted serialized input that triggers unsafe memory access. A publicly available proof-of-concept exploit exists (GitHub gist), though EPSS remains very low at 0.07% (21st percentile) and this CVE is not listed in CISA KEV, suggesting no observed widespread exploitation at time of analysis.

Information Disclosure Bitsery
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authenticated denial-of-service in Mattermost's plugin subsystem allows a low-privileged user to crash the plugin process by sending a crafted HTTP request to the PR details API endpoint. Affected across four active release branches (10.11.x, 11.4.x, 11.5.x, 11.6.x), the flaw stems from missing input validation in API request handlers (CWE-1287). No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the low authentication barrier (any valid account) combined with network accessibility makes it a realistic insider or post-compromise nuisance risk.

Denial Of Service Mattermost
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.

Authentication Bypass Concrete Cms
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy