CWE-184 · Incomplete List of Disallowed Inputs
144 CVEs classified under CWE-184 (Incomplete List of Disallowed Inputs). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-49869 | Critical | 10.0 | 2026-06-26 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("… |
CVE-2024-51745 | Critical | 10.0 | 2024-11-05 | Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such a… |
CVE-2026-33396 | Critical | 9.9 | 2026-03-26 | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve re… |
CVE-2026-28363 | Critical | 9.9 | 2026-02-27 | In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlis… |
CVE-2026-56315 | Critical | 9.8 | 2026-06-23 | picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib)… |
CVE-2026-53873 | Critical | 9.8 | 2026-06-17 | picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers… |
CVE-2025-71323 | Critical | 9.8 | 2026-06-17 | picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw me… |
CVE-2025-71320 | Critical | 9.8 | 2026-06-17 | picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass se… |
CVE-2026-41264 | Critical | 9.8 | 2026-04-23 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the… |
CVE-2026-34415 | Critical | 9.8 | 2026-04-22 | Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP… |
CVE-2025-1716 | Critical | 9.8 | 2025-02-26 | picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI packa… |
CVE-2024-5217 | Critical | 9.8 | 2024-07-10 | ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnera… |
CVE-2023-3374 | Critical | 9.8 | 2023-09-05 | Incomplete List of Disallowed Inputs vulnerability in Unisign Bookreen allows Privilege Escalation. This issue affects Bookreen: before 3.0.0. |
CVE-2019-9212 | Critical | 9.8 | 2019-02-27 | SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.nam… |
CVE-2018-7489 | Critical | 9.8 | 2018-02-26 | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete f… |
CVE-2017-7525 | Critical | 9.8 | 2018-02-06 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform… |
CVE-2017-15095 | Critical | 9.8 | 2018-02-06 | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code ex… |
CVE-2017-0909 | Critical | 9.8 | 2017-11-16 | The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prev… |
CVE-2017-7540 | Critical | 9.8 | 2017-07-21 | rubygem-safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to de… |
CVE-2026-55743 | Critical | 9.6 | 2026-06-17 | The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execut… |