CWE-1287
AllowedImproper Validation of Specified Type of Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
259 vulnerabilities reference this CWE, most recent first.
GHSA-FW3Q-VJP3-89W5
Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-10-02 06:30Improper Input Validation vulnerability in PHOENIX CONTACT FL/TC MGUARD Family in multiple versions may allow UDP packets to bypass the filter rules and access the solely connected device behind the MGUARD which can be used for flooding attacks.
{
"affected": [],
"aliases": [
"CVE-2023-2673"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T07:15:46Z",
"severity": "MODERATE"
},
"details": "Improper Input Validation vulnerability in PHOENIX CONTACT FL/TC MGUARD Family in multiple versions may allow\u00a0UDP packets to bypass the filter rules and access the solely connected device behind the MGUARD which can be used for flooding attacks.",
"id": "GHSA-fw3q-vjp3-89w5",
"modified": "2024-10-02T06:30:26Z",
"published": "2023-06-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2673"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2023-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FWR5-6X48-G3P6
Vulnerability from github – Published: 2024-03-27 18:32 – Updated: 2024-03-27 18:32In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub in the Splunk Dashboard Studio app lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser.
{
"affected": [],
"aliases": [
"CVE-2024-29946"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T17:15:54Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub in the Splunk Dashboard Studio app lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser.",
"id": "GHSA-fwr5-6x48-g3p6",
"modified": "2024-03-27T18:32:38Z",
"published": "2024-03-27T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29946"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0302"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/1cf58ae1-9177-40b8-a26c-8966040f11ae"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G57P-J3VC-Q7GF
Vulnerability from github – Published: 2025-07-02 09:30 – Updated: 2025-07-02 15:30Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service.
No practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests, effectively mitigating the reported issue.
{
"affected": [],
"aliases": [
"CVE-2025-24335"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-02T09:15:25Z",
"severity": "LOW"
},
"details": "Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service.\n\nNo practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests, effectively mitigating the reported issue.",
"id": "GHSA-g57p-j3vc-q7gf",
"modified": "2025-07-02T15:30:37Z",
"published": "2025-07-02T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24335"
},
{
"type": "WEB",
"url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24335"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G5RR-P69H-7V3G
Vulnerability from github – Published: 2022-04-22 20:57 – Updated: 2025-12-26 17:29Impact
When an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid.
This involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, it could result in crashes on certain types of bad data (e.g. incorrect ListTag type provided for the CanDestroy tag).
Patches
This is fixed in 4.2.9 by commit 5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2.
Workarounds
It's non-trivial to workaround this, but can be done by handling InventoryTransactionPacket and PlayerAuthInputPacket to scrub inbound transaction data of bogus NBT that would cause these crashes.
For more information
- Email us at team@pmmp.io
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pocketmine/pocketmine-mp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:57:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nWhen an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don\u0027t match, the transaction is invalid.\n\nThis involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, it could result in crashes on certain types of bad data (e.g. incorrect ListTag type provided for the `CanDestroy` tag).\n\n### Patches\nThis is fixed in 4.2.9 by commit 5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2.\n\n### Workarounds\nIt\u0027s non-trivial to workaround this, but can be done by handling `InventoryTransactionPacket` and `PlayerAuthInputPacket` to scrub inbound transaction data of bogus NBT that would cause these crashes.\n\n### For more information\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)",
"id": "GHSA-g5rr-p69h-7v3g",
"modified": "2025-12-26T17:29:16Z",
"published": "2022-04-22T20:57:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g5rr-p69h-7v3g"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/commit/5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2"
},
{
"type": "PACKAGE",
"url": "https://github.com/pmmp/PocketMine-MP"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/blob/4.2.9/changelogs/4.2.md#429"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/releases/tag/4.2.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient type validation in pocketmine/pocketmine-mp"
}
GHSA-GFHQ-7499-F3F2
Vulnerability from github – Published: 2026-03-27 15:37 – Updated: 2026-03-27 15:37Summary
Conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.
Details
Creating a DPA report about another user and leaving the evidence field empty causes that report to look like the reported user self-requested deletion of their data. Ingenuine report is not distinguishable from a genuine one.
This can be prevented by disabling convertEmptyStringsToNull in the middleware, or by validating evidence in Http/Controllers/DPAController::store() to not be empty.
PoC
New DPA report -> Select "...someone who I suspect is under the age of 13" for the "The above username is..." field -> Add nothing to the "Evidence" field -> Submit
Impact
Potential unauthorized deletion of any arbitrary user's data both in the current system (TSPortal) and subsequent systems if actioned.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 29"
},
"package": {
"ecosystem": "Packagist",
"name": "miraheze/ts-portal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "30"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29788"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-283"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T15:37:10Z",
"nvd_published_at": "2026-03-06T21:16:15Z",
"severity": "HIGH"
},
"details": "### Summary\nConversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.\n\n### Details\nCreating a DPA report about another user and leaving the evidence field empty causes that report to look like the reported user self-requested deletion of their data. Ingenuine report is not distinguishable from a genuine one.\n\nThis can be prevented by disabling [convertEmptyStringsToNull](https://api.laravel.com/docs/12.x/Illuminate/Foundation/Configuration/Middleware.html#method_convertEmptyStringsToNull) in the middleware, or by validating `evidence` in Http/Controllers/DPAController::store() to not be empty.\n\n### PoC\nNew DPA report -\u003e Select \"...someone who I suspect is under the age of 13\" for the \"The above username is...\" field -\u003e Add nothing to the \"Evidence\" field -\u003e Submit\n\n### Impact\nPotential unauthorized deletion of any arbitrary user\u0027s data both in the current system (TSPortal) and subsequent systems if actioned.",
"id": "GHSA-gfhq-7499-f3f2",
"modified": "2026-03-27T15:37:10Z",
"published": "2026-03-27T15:37:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29788"
},
{
"type": "WEB",
"url": "https://api.laravel.com/docs/12.x/Illuminate/Foundation/Configuration/Middleware.html#method_convertEmptyStringsToNull"
},
{
"type": "PACKAGE",
"url": "https://github.com/miraheze/TSPortal"
},
{
"type": "WEB",
"url": "https://issue-tracker.miraheze.org/T15053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H",
"type": "CVSS_V4"
}
],
"summary": "TSPortal: Any user can forge self-deletion requests for any account"
}
GHSA-GMRX-X399-MFHC
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 21:31In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.
{
"affected": [],
"aliases": [
"CVE-2024-6858"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T22:16:51Z",
"severity": "MODERATE"
},
"details": "In Arista\u2019s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.",
"id": "GHSA-gmrx-x399-mfhc",
"modified": "2026-06-05T21:31:55Z",
"published": "2026-06-05T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6858"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19917-security-advisory-0103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2J4-WH32-G972
Vulnerability from github – Published: 2025-09-09 03:30 – Updated: 2025-09-09 03:30Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database but no impact on confidentiality.
{
"affected": [],
"aliases": [
"CVE-2025-42916"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T02:15:39Z",
"severity": "HIGH"
},
"details": "Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database but no impact on confidentiality.",
"id": "GHSA-h2j4-wh32-g972",
"modified": "2025-09-09T03:30:18Z",
"published": "2025-09-09T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42916"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3635475"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H8HH-7XXW-Q4PG
Vulnerability from github – Published: 2025-01-15 18:30 – Updated: 2025-01-15 18:30Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
{
"affected": [],
"aliases": [
"CVE-2025-21083"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T17:15:19Z",
"severity": "MODERATE"
},
"details": "Mattermost Mobile Apps versions \u003c=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.",
"id": "GHSA-h8hh-7xxw-q4pg",
"modified": "2025-01-15T18:30:58Z",
"published": "2025-01-15T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21083"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HCR2-WFHW-2H9M
Vulnerability from github – Published: 2026-05-27 09:31 – Updated: 2026-05-27 09:31A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability.
{
"affected": [],
"aliases": [
"CVE-2026-40851"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T09:16:31Z",
"severity": "HIGH"
},
"details": "A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability.",
"id": "GHSA-hcr2-wfhw-2h9m",
"modified": "2026-05-27T09:31:17Z",
"published": "2026-05-27T09:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40851"
},
{
"type": "WEB",
"url": "https://www.certvde.com/en/advisories/VDE-2026-054"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM43-WHRJ-J74P
Vulnerability from github – Published: 2025-07-23 12:30 – Updated: 2025-07-23 12:30IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local user to cause a denial of service due to improper validation of specified type of input.
{
"affected": [],
"aliases": [
"CVE-2024-40682"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-23T12:15:26Z",
"severity": "MODERATE"
},
"details": "IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local user to cause a denial of service due to improper validation of specified type of input.",
"id": "GHSA-hm43-whrj-j74p",
"modified": "2025-07-23T12:30:25Z",
"published": "2025-07-23T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40682"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7240264"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.