Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1284 — Vulnerability Class 134

134 vulnerabilities classified as CWE-1284. AI Chinese analysis included.

CWE-1284 represents a critical input validation weakness where software fails to properly verify numerical constraints such as size, length, or frequency provided by users. Attackers typically exploit this flaw by submitting maliciously crafted inputs that exceed expected limits, triggering resource exhaustion, buffer overflows, or logic errors during allocation and iteration processes. By bypassing these checks, adversaries can cause denial of service, data corruption, or arbitrary code execution. To mitigate this risk, developers must implement rigorous validation routines that enforce strict upper and lower bounds on all quantitative inputs. This includes verifying that values fall within acceptable ranges before processing, using safe parsing functions, and applying defensive programming techniques to handle unexpected or extreme values gracefully, thereby ensuring system stability and preventing exploitation of unchecked numerical parameters.

MITRE CWE Description
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc.
Common Consequences (1)
Other, Integrity, AvailabilityVaries by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory
When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc.
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
Examples (2)
This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.
... public static final double price = 20.00; int quantity = currentUser.getAttribute("quantity"); double total = price * quantity; chargeUser(total); ...
Bad · Java
This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.
... #define MAX_DIM 100 ... /* board dimensions */ int m,n, error; board_square_t *board; printf("Please specify the board height: \n"); error = scanf("%d", &m); if ( EOF == error ){ die("No integer passed: Die evil hacker!\n"); } printf("Please specify the board width: \n"); error = scanf("%d", &n); if ( EOF == error ){ die("No integer passed: Die evil hacker!\n"); } if ( m > MAX_DIM || n > MAX_DIM ) { die("Value too large: Die evil hacker!\n"); } board = (board_square_t*) malloc( m * n * sizeof(board_square_t)); ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-25863 Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption — Conditional Fields for Contact Form 7 7.5 High2026-05-04
CVE-2025-14688 IBM® Db2® is vulnerable to a denial of service when fetching from certain tables under specific configurations — Db2 5.3 Medium2026-04-30
CVE-2026-6915 Flaw in the updateUser Command May Allow Unauthorized Configuration Change — MongoDB Server 6.3 Medium2026-04-29
CVE-2026-1352 IBM® Db2® is vulnerable to a trap or return SQLCODE -901 when compiling a specially crafted query with a defined index — Db2 6.5 Medium2026-04-22
CVE-2026-6839 ONE 安全漏洞 — ONE 6.6 Medium2026-04-22
CVE-2026-41285 OpenBSD 安全漏洞 — OpenBSD 4.3 Medium2026-04-20
CVE-2026-2403 Schneider Electric PowerChute Serial Shutdown 安全漏洞 — PowerChute™ Serial Shutdown 2.7 -2026-04-14
CVE-2025-3756 Denial of Service Vulnerabilities in System 800xA, Symphony® Plus IEC 61850 — AC800M (System 800xA) 6.5 Medium2026-04-13
CVE-2026-40093 nimiq-blockchain is missing a wall-clock upper bound on block timestamps — core-rs-albatross 8.1 High2026-04-09
CVE-2025-12664 Improper Validation of Specified Quantity in Input in GitLab — GitLab 7.5 High2026-04-08
CVE-2026-1092 Improper Validation of Specified Quantity in Input in GitLab — GitLab 7.5 High2026-04-08
CVE-2026-1101 Improper Validation of Specified Quantity in Input in GitLab — GitLab 6.5 Medium2026-04-08
CVE-2025-13078 Improper Validation of Specified Quantity in Input in GitLab — GitLab 6.5 Medium2026-03-25
CVE-2026-25345 WordPress SimpLy Gallery plugin <= 3.3.2 - Arbitrary Code Execution vulnerability — SimpLy Gallery 9.9 Critical2026-03-25
CVE-2026-33349 fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation — fast-xml-parser 5.9 Medium2026-03-24
CVE-2026-26940 Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service — Kibana 6.5 Medium2026-03-19
CVE-2025-14513 Improper Validation of Specified Quantity in Input in GitLab — GitLab 7.5 High2026-03-11
CVE-2026-27384 WordPress W3 Total Cache plugin <= 2.9.1 - Arbitrary Code Execution vulnerability — W3 Total Cache 9.0 Critical2026-03-05
CVE-2026-26934 Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service — Kibana 6.5 Medium2026-02-26
CVE-2025-14511 Improper Validation of Specified Quantity in Input in GitLab — GitLab 7.5 High2026-02-25
CVE-2026-27171 zlib 安全漏洞 — zlib 2.9 Low2026-02-18
CVE-2025-13867 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-02-17
CVE-2025-14689 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-02-17
CVE-2025-52534 AMD EPYC 9005 Series 安全漏洞 — AMD EPYC™ 9005 Series Processors 6.5AIMediumAI2026-02-10
CVE-2024-21953 AMD多款产品 安全漏洞 — AMD EPYC™ 9004 Series Processors 6.0AIMediumAI2026-02-10
CVE-2025-15080 Information Disclosure, Information Tampering, and Denial of Service (DoS) Vulnerability in Mitsubishi Electric proprietary protocol communication and SLMP communication for FA products — MELSEC iQ-R Series R08PCPU 9.8AICriticalAI2026-02-05
CVE-2025-36094 Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2026. — Cloud Pak for Business Automation 5.4 Medium2026-02-03
CVE-2025-36009 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30
CVE-2025-36407 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30
CVE-2025-36423 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30

Vulnerabilities classified as CWE-1284 represent 134 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.