CWE-184 · Incomplete List of Disallowed Inputs

144 CVEs classified under CWE-184 (Incomplete List of Disallowed Inputs). Browse by severity and year.

Top CVEs for CWE-184
CVESeverityScorePublishedSummary
CVE-2026-49869Critical10.02026-06-26Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("…
CVE-2024-51745Critical10.02024-11-05Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such a…
CVE-2026-33396Critical9.92026-03-26OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve re…
CVE-2026-28363Critical9.92026-02-27In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlis…
CVE-2026-56315Critical9.82026-06-23picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib)…
CVE-2026-53873Critical9.82026-06-17picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers…
CVE-2025-71323Critical9.82026-06-17picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw me…
CVE-2025-71320Critical9.82026-06-17picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass se…
CVE-2026-41264Critical9.82026-04-23Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the…
CVE-2026-34415Critical9.82026-04-22Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP…
CVE-2025-1716Critical9.82025-02-26picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI packa…
CVE-2024-5217Critical9.82024-07-10ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnera…
CVE-2023-3374Critical9.82023-09-05Incomplete List of Disallowed Inputs vulnerability in Unisign Bookreen allows Privilege Escalation. This issue affects Bookreen: before 3.0.0.
CVE-2019-9212Critical9.82019-02-27SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.nam…
CVE-2018-7489Critical9.82018-02-26FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete f…
CVE-2017-7525Critical9.82018-02-06A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform…
CVE-2017-15095Critical9.82018-02-06A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code ex…
CVE-2017-0909Critical9.82017-11-16The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prev…
CVE-2017-7540Critical9.82017-07-21rubygem-safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to de…
CVE-2026-55743Critical9.62026-06-17The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execut…