Filtered by CWE-20
Total 12426 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-27131 1 Openatom 1 Openharmony 2025-06-09 6.1 Medium
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause DOS through improper input.
CVE-2025-27242 1 Openatom 1 Openharmony 2025-06-09 3.3 Low
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause DOS through improper input.
CVE-2024-22119 1 Zabbix 1 Zabbix 2025-06-09 5.5 Medium
The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section.
CVE-2021-3326 6 Debian, Fujitsu, Gnu and 3 more 18 Debian Linux, M10-1, M10-1 Firmware and 15 more 2025-06-09 7.5 High
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-29562 3 Fedoraproject, Gnu, Netapp 3 Fedora, Glibc, E-series Santricity Os Controller 2025-06-09 4.8 Medium
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2018-15686 5 Canonical, Debian, Oracle and 2 more 10 Ubuntu Linux, Debian Linux, Communications Cloud Native Core Network Function Cloud Native Environment and 7 more 2025-06-09 7.8 High
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
CVE-2018-1000168 4 Debian, Nghttp2, Nodejs and 1 more 4 Debian Linux, Nghttp2, Node.js and 1 more 2025-06-09 7.5 High
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
CVE-2017-16544 5 Busybox, Canonical, Debian and 2 more 8 Busybox, Ubuntu Linux, Debian Linux and 5 more 2025-06-09 8.8 High
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
CVE-2017-12652 3 Libpng, Netapp, Redhat 3 Libpng, Active Iq Unified Manager, Enterprise Linux 2025-06-09 9.8 Critical
libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVE-2016-2781 1 Gnu 1 Coreutils 2025-06-09 4.6 Medium
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
CVE-2022-42012 3 Fedoraproject, Freedesktop, Redhat 4 Fedora, Dbus, Enterprise Linux and 1 more 2025-06-09 6.5 Medium
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.
CVE-2022-1271 4 Debian, Gnu, Redhat and 1 more 8 Debian Linux, Gzip, Enterprise Linux and 5 more 2025-06-09 8.8 High
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
CVE-2021-22924 8 Debian, Fedoraproject, Haxx and 5 more 55 Debian Linux, Fedora, Libcurl and 52 more 2025-06-09 3.7 Low
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
CVE-2024-9407 1 Redhat 3 Enterprise Linux, Openshift, Rhel Eus 2025-06-09 4.7 Medium
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2025-5680 2025-06-06 6.3 Medium
A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-5679 2025-06-05 6.3 Medium
A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-22027 1 Ays-pro 1 Quiz Maker 2025-06-05 6.5 Medium
Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial of Service (DoS) attack against external services.
CVE-2022-20392 1 Google 1 Android 2025-06-05 7.8 High
In declareDuplicatePermission of ParsedPermissionUtils.java, there is a possible way to obtain a dangerous permission without user consent due to improper input validation. This could lead to local escalation of privilege during app installation or upgrade with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-213323615
CVE-2023-35136 1 Zyxel 20 Atp100, Atp100w, Atp200 and 17 more 2025-06-05 5.5 Medium
An improper input validation vulnerability in the “Quagga” package of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to access configuration files on an affected device.
CVE-2024-30087 1 Microsoft 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more 2025-06-05 7.8 High
Win32k Elevation of Privilege Vulnerability