Skip to main content

CWE-159

Improper Handling of Invalid Use of Special Elements

10 CVEs Avg CVSS 6.1 MITRE
1
CRITICAL
4
HIGH
3
MEDIUM
2
LOW
1
POC
0
KEV

Monthly

CVE-2026-35536 PyPI HIGH PATCH GHSA This Week

Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.

Code Injection Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-2636 MEDIUM This Month

Local denial of service in Windows CLFS.sys driver allows unprivileged users to crash the system through improper handling of special elements. Affected versions include Windows 11 2024 LTSC and Windows Server 2025 prior to the September 2025 cumulative update, while Windows 25H2 and later contain the patch. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.5 with zero estimated probability of exploitation.

Microsoft Windows Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-52884 Cargo LOW PATCH Monitor

A security vulnerability in RISC Zero (CVSS 1.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub
CVSS 4.0
1.7
EPSS
0.1%
CVE-2021-21707 MEDIUM POC PATCH THREAT This Month

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Information Disclosure Clustered Data Ontap Debian Linux Tenable Sc
NVD
CVSS 3.1
5.3
EPSS
26.0%
CVE-2021-42375 MEDIUM This Month

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Busybox Fedora Cloud Backup Hci Management Node +8
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-1653 HIGH This Week

On Juniper Networks Junos OS devices, a stream of TCP packets sent to the Routing Engine (RE) may cause mbuf leak which can lead to Flexible PIC Concentrator (FPC) crash or the system to crash and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Juniper Junos
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-1648 HIGH This Week

On Juniper Networks Junos OS and Junos OS Evolved devices, processing a specific BGP packet can lead to a routing process daemon (RPD) crash and restart. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Juniper Junos Junos Os Evolved
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-1646 HIGH This Week

On Juniper Networks Junos OS and Junos OS Evolved devices, processing a specific UPDATE for an EBGP peer can lead to a routing process daemon (RPD) crash and restart. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Juniper Junos Junos Os Evolved
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2019-9505 CRITICAL Act Now

The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not sanitize special characters allowing for remote unauthorized changes to configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Print Management
NVD
CVSS 3.1
9.8
EPSS
3.5%
CVE-2025-61984 LOW Monitor

OpenSSH on Alpine Linux received a security fix in package version 10.1_p1-r0, addressing an unspecified vulnerability tracked as CVE-2025-61984. The exact nature, attack vector, and impact of this vulnerability are not disclosed in available intelligence sources - no CVE description, CVSS score, or CWE classification has been published at time of analysis. EPSS probability is extremely low at 0.01% (2nd percentile), and no public exploit or CISA KEV listing has been identified.

Information Disclosure SSH
NVD
CVSS 3.1
3.6
EPSS
0.0%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.

Code Injection Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Local denial of service in Windows CLFS.sys driver allows unprivileged users to crash the system through improper handling of special elements. Affected versions include Windows 11 2024 LTSC and Windows Server 2025 prior to the September 2025 cumulative update, while Windows 25H2 and later contain the patch. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.5 with zero estimated probability of exploitation.

Microsoft Windows Denial Of Service
NVD
EPSS 0% CVSS 1.7
LOW PATCH Monitor

A security vulnerability in RISC Zero (CVSS 1.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub
EPSS 26% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Information Disclosure Clustered Data Ontap +2
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Busybox Fedora +10
NVD
EPSS 2% CVSS 7.5
HIGH This Week

On Juniper Networks Junos OS devices, a stream of TCP packets sent to the Routing Engine (RE) may cause mbuf leak which can lead to Flexible PIC Concentrator (FPC) crash or the system to crash and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Juniper Junos
NVD
EPSS 1% CVSS 7.5
HIGH This Week

On Juniper Networks Junos OS and Junos OS Evolved devices, processing a specific BGP packet can lead to a routing process daemon (RPD) crash and restart. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Juniper Junos +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

On Juniper Networks Junos OS and Junos OS Evolved devices, processing a specific UPDATE for an EBGP peer can lead to a routing process daemon (RPD) crash and restart. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Juniper Junos +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not sanitize special characters allowing for remote unauthorized changes to configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Print Management
NVD
EPSS 0% CVSS 3.6
LOW Monitor

OpenSSH on Alpine Linux received a security fix in package version 10.1_p1-r0, addressing an unspecified vulnerability tracked as CVE-2025-61984. The exact nature, attack vector, and impact of this vulnerability are not disclosed in available intelligence sources - no CVE description, CVSS score, or CWE classification has been published at time of analysis. EPSS probability is extremely low at 0.01% (2nd percentile), and no public exploit or CISA KEV listing has been identified.

Information Disclosure SSH
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy