Skip to main content

CWE-235

Improper Handling of Extra Parameters

3 CVEs Avg CVSS 7.6 MITRE
1
CRITICAL
1
HIGH
1
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-27851 CRITICAL PATCH Act Now

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in the 'safe' template filter: when 'safe' is applied during variable expansion, every subsequent pipeline stage on the same string inherits the 'safe' designation, so attacker-controlled data that should be escaped is passed through unescaped. Because variable expansion is used to build authentication backend queries, this enables SQL or LDAP injection by remote unauthenticated attackers. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 2nd percentile).

Code Injection Ox Dovecot Pro
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-20083 MEDIUM This Month

Improper validation of malformed SCP requests in Cisco IOS XE Software allows authenticated local attackers to trigger unexpected device reloads and cause service disruption. An attacker with low privileges can exploit this vulnerability by sending a crafted SSH command to the SCP server component. No patch is currently available for this denial of service vulnerability.

Cisco Denial Of Service Apple
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-47651 HIGH This Week

This vulnerability exists in Shilpi Client Dashboard due to improper handling of multiple parameters in the API endpoint. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Client Dashboard
NVD
CVSS 4.0
7.1
EPSS
0.4%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in the 'safe' template filter: when 'safe' is applied during variable expansion, every subsequent pipeline stage on the same string inherits the 'safe' designation, so attacker-controlled data that should be escaped is passed through unescaped. Because variable expansion is used to build authentication backend queries, this enables SQL or LDAP injection by remote unauthenticated attackers. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 2nd percentile).

Code Injection Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper validation of malformed SCP requests in Cisco IOS XE Software allows authenticated local attackers to trigger unexpected device reloads and cause service disruption. An attacker with low privileges can exploit this vulnerability by sending a crafted SSH command to the SCP server component. No patch is currently available for this denial of service vulnerability.

Cisco Denial Of Service Apple
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

This vulnerability exists in Shilpi Client Dashboard due to improper handling of multiple parameters in the API endpoint. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Client Dashboard
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy