CWE-670
Allowed-with-ReviewAlways-Incorrect Control Flow Implementation
Abstraction: Class · Status: Draft
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
203 vulnerabilities reference this CWE, most recent first.
GHSA-G2R2-6V8V-5QGM
Vulnerability from github – Published: 2026-04-22 00:31 – Updated: 2026-04-22 00:31KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
{
"affected": [],
"aliases": [
"CVE-2026-41527"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T22:16:20Z",
"severity": "MODERATE"
},
"details": "KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.",
"id": "GHSA-g2r2-6v8v-5qgm",
"modified": "2026-04-22T00:31:40Z",
"published": "2026-04-22T00:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41527"
},
{
"type": "WEB",
"url": "https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79"
},
{
"type": "WEB",
"url": "https://github.com/KDE/kleopatra/releases"
},
{
"type": "WEB",
"url": "https://kde.org/info/security/advisory-20260408-1.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G2XH-C426-V8MF
Vulnerability from github – Published: 2023-09-04 16:39 – Updated: 2025-06-18 17:43Impact
For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right.
- unsafe_add
- unsafe_sub
- unsafe_mul
- unsafe_div
- pow_mod256
- |, &, ^ (bitwise operators)
- bitwise_or (deprecated)
- bitwise_and (deprecated)
- bitwise_xor (deprecated)
- raw_call
- <, >, <=, >=, ==, !=
- in, not in (when lhs and rhs are enums)
This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect:
- state modifying external call
- state modifying internal call
raw_callpop()when used on a Dynamic Array stored in the storagecreate_minimal_proxy_tocreate_copy_ofcreate_from_blueprint
For example:
f:uint256
@internal
def side_effect() -> uint256:
self.f = 12
return 1
@external
def foo() -> uint256:
return unsafe_add(self.f,self.side_effect()) # returns 13 instead of 1
a:DynArray[uint256, 12]
@external
def bar() -> bool:
self.a = [1,2,3]
return len(self.a) == self.a.pop() # return false instead of true
Patches
not yet patched, will address in a future release. tracking in https://github.com/vyperlang/vyper/issues/3604.
Workarounds
When using expressions from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40015"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-04T16:39:00Z",
"nvd_published_at": "2023-09-04T18:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nFor the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right.\n\n```\n- unsafe_add\n- unsafe_sub\n- unsafe_mul\n- unsafe_div\n- pow_mod256\n- |, \u0026, ^ (bitwise operators)\n- bitwise_or (deprecated)\n- bitwise_and (deprecated)\n- bitwise_xor (deprecated)\n- raw_call\n- \u003c, \u003e, \u003c=, \u003e=, ==, !=\n- in, not in (when lhs and rhs are enums)\n```\n\nThis behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect:\n\n- state modifying external call \n- state modifying internal call\n- `raw_call`\n- `pop()` when used on a Dynamic Array stored in the storage\n- `create_minimal_proxy_to`\n- `create_copy_of`\n- `create_from_blueprint`\n\nFor example:\n\n```Vyper\nf:uint256\n\n@internal\ndef side_effect() -\u003e uint256:\n self.f = 12\n return 1\n\n@external\ndef foo() -\u003e uint256:\n return unsafe_add(self.f,self.side_effect()) # returns 13 instead of 1\n```\n\n```Vyper\na:DynArray[uint256, 12]\n@external\ndef bar() -\u003e bool:\n self.a = [1,2,3]\n return len(self.a) == self.a.pop() # return false instead of true\n```\n\n### Patches\nnot yet patched, will address in a future release. tracking in https://github.com/vyperlang/vyper/issues/3604.\n\n### Workarounds\n\nWhen using expressions from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\n\n### References\n_Are there any links users can visit to find out more?_",
"id": "GHSA-g2xh-c426-v8mf",
"modified": "2025-06-18T17:43:48Z",
"published": "2023-09-04T16:39:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40015"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/issues/3604"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/issues/4019"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/pull/4157"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vyper: reversed order of side effects for some operations"
}
GHSA-G8VQ-GJGW-GFC8
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.
{
"affected": [],
"aliases": [
"CVE-2026-56328"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:30Z",
"severity": "HIGH"
},
"details": "Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.",
"id": "GHSA-g8vq-gjgw-gfc8",
"modified": "2026-07-01T00:34:13Z",
"published": "2026-07-01T00:34:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-3cmp-pm5x-8464"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56328"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/capgo-integrity-issue-in-release-routing-via-multiple-public-channels"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GH9R-QCPC-Q754
Vulnerability from github – Published: 2026-06-20 18:31 – Updated: 2026-06-20 18:31Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.
{
"affected": [],
"aliases": [
"CVE-2026-56307"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-20T16:17:05Z",
"severity": "MODERATE"
},
"details": "Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.",
"id": "GHSA-gh9r-qcpc-q754",
"modified": "2026-06-20T18:31:29Z",
"published": "2026-06-20T18:31:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8p6w-x7jg-v4xq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56307"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/cap-go-broken-cursor-pagination-in-private-devices-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GM67-5X5W-8F7X
Vulnerability from github – Published: 2024-12-04 15:31 – Updated: 2024-12-11 18:30In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx93-blk-ctrl: correct remove path
The check condition should be 'i < bc->onecell_data.num_domains', not 'bc->onecell_data.num_domains' which will make the look never finish and cause kernel panic.
Also disable runtime to address "imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!"
{
"affected": [],
"aliases": [
"CVE-2024-53134"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-04T15:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx93-blk-ctrl: correct remove path\n\nThe check condition should be \u0027i \u003c bc-\u003eonecell_data.num_domains\u0027, not\n\u0027bc-\u003eonecell_data.num_domains\u0027 which will make the look never finish\nand cause kernel panic.\n\nAlso disable runtime to address\n\"imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!\"",
"id": "GHSA-gm67-5x5w-8f7x",
"modified": "2024-12-11T18:30:39Z",
"published": "2024-12-04T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53134"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/201fb9e164a1e4c5937de2cf58bcb0327c08664f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fc228ab5d38a026eae7183a5f74a4fac43d9b6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7c7c5aa556378a2c8da72c1f7f238b6648f95fb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPCC-MW99-4PG6
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Virtual Machine may cause a denial of service (application crash) or possibly have unspecified other impact because Errors::unreachable() is reached.
{
"affected": [],
"aliases": [
"CVE-2018-16766"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-10T04:29:00Z",
"severity": "HIGH"
},
"details": "In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Virtual Machine may cause a denial of service (application crash) or possibly have unspecified other impact because Errors::unreachable() is reached.",
"id": "GHSA-gpcc-mw99-4pg6",
"modified": "2022-05-13T01:19:17Z",
"published": "2022-05-13T01:19:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16766"
},
{
"type": "WEB",
"url": "https://github.com/AndrewScheidecker/WAVM/issues/96"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GXH7-WV9Q-FWFR
Vulnerability from github – Published: 2023-09-06 18:42 – Updated: 2023-09-06 18:42Impact
A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences object.
This resulted in incorrectly allowing usage of methods like eval() and new Function, which can result in an expanded attack surface.
Patches
This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes:
- 22.0.1
- 23.0.0-alpha.2
We recommend all apps upgrade to the latest stable version of Electron, especially if they use sandbox: false or contextIsolation: false.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of sandbox: true or contextIsolation: true on all renderers.
const mainWindow = new BrowserWindow({
webPreferences: {
sandbox: true,
}
});
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Credit
Thanks to user @andreasdj for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "22.0.0-beta.1"
},
{
"fixed": "22.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0-alpha.1"
},
{
"fixed": "23.0.0-alpha.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-23623"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-06T18:42:17Z",
"nvd_published_at": "2023-09-06T21:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\nA Content-Security-Policy that disables eval, specifically setting a `script-src` directive and _not_ providing `unsafe-eval` in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. `sandbox: false` and `contextIsolation: false` in the `webPreferences` object.\n\nThis resulted in incorrectly allowing usage of methods like `eval()` and `new Function`, which can result in an expanded attack surface.\n\n### Patches\nThis issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes:\n\n- 22.0.1\n- 23.0.0-alpha.2\n\nWe recommend all apps upgrade to the latest stable version of Electron, especially if they use `sandbox: false` or `contextIsolation: false`.\n\n### Workarounds\nIf upgrading isn\u0027t possible, this issue can be addressed without upgrading by enabling at least one of `sandbox: true` or `contextIsolation: true` on all renderers.\n\n```js\nconst mainWindow = new BrowserWindow({\n webPreferences: {\n sandbox: true,\n }\n});\n```\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).\n\n### Credit\nThanks to user @andreasdj for reporting this issue.",
"id": "GHSA-gxh7-wv9q-fwfr",
"modified": "2023-09-06T18:42:17Z",
"published": "2023-09-06T18:42:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23623"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/36667"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/36668"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/commit/9e7fbc7021d8d716c43782249a552e55289c35db"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/releases/tag/v22.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Electron\u0027s Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled"
}
GHSA-H4F3-5VVH-XJGJ
Vulnerability from github – Published: 2025-06-11 03:31 – Updated: 2025-06-18 03:30KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2025-49091"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-11T01:15:20Z",
"severity": "HIGH"
},
"details": "KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.",
"id": "GHSA-h4f3-5vvh-xjgj",
"modified": "2025-06-18T03:30:55Z",
"published": "2025-06-11T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49091"
},
{
"type": "WEB",
"url": "https://invent.kde.org/utilities/konsole/-/commit/09d20dea109050b4c02fb73095f327b5642a2b75"
},
{
"type": "WEB",
"url": "https://invent.kde.org/utilities/konsole/-/tags"
},
{
"type": "WEB",
"url": "https://kde.org/info/security/advisory-20250609-1.txt"
},
{
"type": "WEB",
"url": "https://konsole.kde.org/changelog.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00019.html"
},
{
"type": "WEB",
"url": "https://proofnet.de/publikationen/konsole_rce.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/06/10/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H75F-8F3X-9M8C
Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-05-20 18:31A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.
This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2026-20171"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T17:16:19Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Border Gateway Protocol (BGP)\u0026nbsp;enforce-first-as feature of\u0026nbsp;Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.\n\nThis vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.",
"id": "GHSA-h75f-8f3x-9m8c",
"modified": "2026-05-20T18:31:35Z",
"published": "2026-05-20T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20171"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgp-iefab-3hb2pwtx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H792-V28V-PPGR
Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 15:30Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
{
"affected": [],
"aliases": [
"CVE-2026-53404"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T21:16:44Z",
"severity": "HIGH"
},
"details": "Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.",
"id": "GHSA-h792-v28v-ppgr",
"modified": "2026-06-30T15:30:43Z",
"published": "2026-06-29T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.