Skip to main content

CWE-233

Improper Handling of Parameters

23 CVEs Avg CVSS 7.1 MITRE
2
CRITICAL
9
HIGH
10
MEDIUM
1
LOW
5
POC
0
KEV

Monthly

CVE-2026-0515 MEDIUM This Month

Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.

Denial Of Service Qnx Software Development Platform Qnx Os For Safety Qnx Os For Medical
NVD VulDB
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-32998 CRITICAL Act Now

Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

RCE Service Provider Console
NVD VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-33585 LOW PATCH Monitor

Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.

Information Disclosure Symmetric Key Agreement Platform
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2018-25233 MEDIUM POC This Month

WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Webdrive
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-2370 HIGH PATCH This Week

Improper authorization in GitLab CE/EE Jira Connect integration allows authenticated users with minimal workspace permissions to steal installation credentials and impersonate the GitLab application. Affects versions 14.3 through 18.8.6, 18.9.0-18.9.2, and 18.10.0. Vendor-released patches available in versions 18.8.7, 18.9.3, and 18.10.1. High CVSS score (8.1) reflects significant confidentiality and integrity impact with low attack complexity. No public exploit identified at time of analysis, though detailed disclosure exists via HackerOne report.

Gitlab Information Disclosure Atlassian
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2023-20514 Monitor

Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution

RCE
NVD
EPSS
0.0%
CVE-2026-22626 MEDIUM This Month

Insufficient input validation in HIKSEMI NAS devices allows authenticated users to trigger denial of service conditions through malformed messages. An attacker with valid credentials can exploit this flaw to cause abnormal device behavior and availability disruptions without requiring user interaction. No patch is currently available to address this vulnerability.

Information Disclosure
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-52970 HIGH POC THREAT CERT-EU Act Now

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 28.8%.

Fortinet Information Disclosure Fortiweb
NVD
CVSS 3.1
8.1
EPSS
28.8%
Threat
4.0
CVE-2024-9329 Maven MEDIUM POC PATCH This Month

In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Glassfish
NVD GitHub
CVSS 4.0
6.9
EPSS
0.7%
CVE-2024-33433 MEDIUM POC This Month

Cross Site Scripting vulnerability in TOTOLINK X2000R before v1.0.0-B20231213.1013 allows a remote attacker to execute arbitrary code via the Guest Access Control parameter in the Wireless Page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS X2000r Firmware
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
EPSS 0% CVSS 6.2
MEDIUM This Month

Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.

Denial Of Service Qnx Software Development Platform Qnx Os For Safety +1
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

RCE Service Provider Console
NVD VulDB
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.

Information Disclosure Symmetric Key Agreement Platform
NVD
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Webdrive
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper authorization in GitLab CE/EE Jira Connect integration allows authenticated users with minimal workspace permissions to steal installation credentials and impersonate the GitLab application. Affects versions 14.3 through 18.8.6, 18.9.0-18.9.2, and 18.10.0. Vendor-released patches available in versions 18.8.7, 18.9.3, and 18.10.1. High CVSS score (8.1) reflects significant confidentiality and integrity impact with low attack complexity. No public exploit identified at time of analysis, though detailed disclosure exists via HackerOne report.

Gitlab Information Disclosure Atlassian
NVD VulDB
EPSS 0%
Monitor

Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution

RCE
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Insufficient input validation in HIKSEMI NAS devices allows authenticated users to trigger denial of service conditions through malformed messages. An attacker with valid credentials can exploit this flaw to cause abnormal device behavior and availability disruptions without requiring user interaction. No patch is currently available to address this vulnerability.

Information Disclosure
NVD
EPSS 29% 4.0 CVSS 8.1
HIGH POC THREAT Act Now

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 28.8%.

Fortinet Information Disclosure Fortiweb
NVD
EPSS 1% CVSS 6.9
MEDIUM POC PATCH This Month

In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Glassfish
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cross Site Scripting vulnerability in TOTOLINK X2000R before v1.0.0-B20231213.1013 allows a remote attacker to execute arbitrary code via the Guest Access Control parameter in the Wireless Page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS X2000r Firmware
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy