CWE-158
25 CVEs classified under CWE-158. Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-47812 | Critical | 10.0 | 2025-07-10 | In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session… |
CVE-2020-14500 | Critical | 10.0 | 2020-08-25 | Secomea GateManager all versions prior to 9.2c, An attacker can send a negative value and overwrite arbitrary data. |
CVE-2025-14388 | Critical | 9.8 | 2025-12-23 | The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. Thi… |
CVE-2025-55113 | Critical | 9.0 | 2025-09-16 | If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 a… |
CVE-2022-20813 | Critical | 9.0 | 2022-07-06 | Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS… |
CVE-2022-20812 | Critical | 9.0 | 2022-07-06 | Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS… |
CVE-2023-5719 | High | 8.8 | 2023-11-06 | The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting secur… |
CVE-2009-1537 | High | 8.8 | 2009-05-29 | Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows X… |
CVE-2020-5363 | High | 8.6 | 2020-06-10 | Select Dell Client Consumer and Commercial platforms include an issue that allows the BIOS Admin password to be changed through Dell's manageability interface… |
CVE-2024-10921 | Medium | 6.8 | 2024-11-14 | An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malfo… |
CVE-2026-23863 | Medium | 6.5 | 2026-05-01 | An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL by… |
CVE-2020-7928 | Medium | 6.5 | 2020-11-23 | A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects M… |
CVE-2026-41256 | Medium | 5.5 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on cur… |
CVE-2024-0408 | Medium | 5.5 | 2024-01-18 | A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues a… |
CVE-2026-43895 | Medium | 4.4 | 2026-05-11 | jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those pat… |
CVE-2026-28540 | Medium | 4.0 | 2026-03-05 | Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2026-43861 | Low | 3.7 | 2026-05-04 | mutt before 2.3.2 does not check for '\0' in url_pct_decode. |
CVE-2026-43859 | Low | 3.7 | 2026-05-04 | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. |
CVE-2025-61985 | Low | 3.6 | 2025-10-06 | ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. |
CVE-2024-9026 | Low | 3.3 | 2024-10-08 | In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through cat… |