Skip to main content

CWE-841

Improper Enforcement of Behavioral Workflow

37 CVEs Avg CVSS 6.5 MITRE
3
CRITICAL
15
HIGH
16
MEDIUM
2
LOW
13
POC
0
KEV

Monthly

CVE-2025-36333 MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57536 MEDIUM PATCH This Month

Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.

Information Disclosure Pretix Mollie
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-13222 MEDIUM PATCH This Month

Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.

Information Disclosure Pretix Oppwa
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-13223 MEDIUM PATCH This Month

Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.

Information Disclosure Pretix Computop
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-46540 MEDIUM This Month

Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.

Information Disclosure Checkpoint
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-43974 HIGH PATCH This Week

Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.

Denial Of Service Gun
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-8477 Monitor

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Information Disclosure Server
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-41259 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Information Disclosure Mastodon
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-34582 HIGH PATCH This Week

TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.

Authentication Bypass Botan
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-30574 HIGH POC This Week

SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.

Information Disclosure Pretix Mollie
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.

Information Disclosure Pretix Oppwa
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.

Information Disclosure Pretix Computop
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.

Information Disclosure Checkpoint
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.

Denial Of Service Gun
NVD GitHub VulDB
EPSS 0% CVSS 2.7
Monitor

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Information Disclosure Server
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Information Disclosure Mastodon
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.

Authentication Bypass Botan
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.

PHP Information Disclosure
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy