Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1286 — Vulnerability Class 55

55 vulnerabilities classified as CWE-1286. AI Chinese analysis included.

CWE-1286 represents a critical input validation weakness where software fails to verify that incoming data adheres to its expected syntactic structure. Attackers typically exploit this flaw by injecting malformed or syntactically incorrect payloads, such as broken JSON, XML, or HTTP headers, which the application processes without proper checks. This oversight can lead to severe consequences, including injection attacks, parsing errors, or unexpected application behavior that may be leveraged for further exploitation. To mitigate this risk, developers must implement rigorous validation routines that strictly enforce syntax rules before processing any input. Utilizing robust parsing libraries, defining clear schema definitions, and rejecting any data that deviates from the expected format are essential practices. By ensuring syntactic correctness early in the pipeline, organizations can prevent malformed data from triggering vulnerabilities and maintain system integrity against adversarial inputs.

MITRE CWE Description
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax.
Common Consequences (1)
OtherVaries by Context
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
Examples (1)
The following code loads and parses an XML file.
// Read DOM try { ... DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setValidating( false ); .... c_dom = factory.newDocumentBuilder().parse( xmlFile ); } catch(Exception ex) { ... }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-6442 Improper Command Detection Logic Allows RCE in Cortex Code Command-Line Interface — Cortex Code CLI 8.3 High2026-04-16
CVE-2026-40198 Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass — Net::CIDR::Lite 7.5 -2026-04-10
CVE-2026-33778 Junos OS: SRX Series, MX Series: When a specifically malformed first ISAKMP packet is received kmd/iked crashes — Junos OS 7.5 High2026-04-09
CVE-2026-34835 Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass. — rack 4.8 Medium2026-04-02
CVE-2026-20114 Cisco IOS XE Software 安全漏洞 — Cisco IOS XE Software 5.4 Medium2026-03-25
CVE-2025-13995 IBM QRadar SIEM Information Disclosure — QRadar 5.0 Medium2026-03-19
CVE-2026-3632 Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames — Red Hat Enterprise Linux 10 3.9 Low2026-03-17
CVE-2025-59785 API - Insufficient Input Validation — 2N Access Commander 4.9AIMediumAI2026-03-04
CVE-2025-13327 Uv: uv: specially crafted zip archives lead to arbitrary code execution due to parsing differentials — uv 6.3 Medium2026-02-27
CVE-2026-0663 Denial of Service condition in M-Files Server — M-Files Server 4.9AIMediumAI2026-01-21
CVE-2026-21917 Junos OS: SRX Series: Specifically malformed SSL packet causes FPC crash — Junos OS 7.5 High2026-01-15
CVE-2025-67492 Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration — weblate 5.3 Medium2025-12-16
CVE-2025-13033 Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict — nodemailer 7.5 High2025-11-14
CVE-2025-41719 Sauter: Improper Validation of user-controlled data — modulo 6 devices modu680-AS 8.8 High2025-10-22
CVE-2025-11573 Denial of Service issue in Amazon.IonDotnet — Amazon.IonDotnet 7.5 High2025-10-09
CVE-2025-36262 IBM Planning Analytics Local information disclosure — Planning Analytics Local 4.9 Medium2025-09-30
CVE-2025-10954 phonenumber 安全漏洞 — github.com/nyaruka/phonenumbers 5.3 Medium2025-09-27
CVE-2025-54995 Asterisk remotely exploitable leak of RTP UDP ports and internal resources — asterisk 6.5 Medium2025-08-28
CVE-2025-25007 Microsoft Exchange Server Spoofing Vulnerability — Microsoft Exchange Server 2016 Cumulative Update 23 5.3 Medium2025-08-12
CVE-2024-51983 Unauthenticated Denial of Service (DoS) via malformed WS-Scan request affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc. — HL-L8260CDN 7.5 High2025-06-25
CVE-2024-51982 Unauthenticated Denial of Service (DoS) via malformed PJL request affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, and Ricoh. — HL-L8260CDN 7.5 High2025-06-25
CVE-2025-30415 Acronis Cyber Protect Cloud Agent 安全漏洞 — Acronis Cyber Protect Cloud Agent 7.5AIHighAI2025-06-04
CVE-2025-24348 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 5.4 Medium2025-04-30
CVE-2025-24347 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 6.5 Medium2025-04-30
CVE-2025-24346 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 7.5 High2025-04-30
CVE-2025-24345 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 6.3 Medium2025-04-30
CVE-2025-46419 Westermo WeOS 安全漏洞 — WeOS 5.9 Medium2025-04-24
CVE-2024-52362 IBM App Connect Enterprise Certified Container denial of service — App Connect Enterprise Certified Container 4.3 Medium2025-03-12
CVE-2025-20644 MediaTek Modem 安全漏洞 — MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8791T, MT8795T, MT8798 7.5 -2025-03-03
CVE-2025-24812 Siemens SIMATIC S7-1200 安全漏洞 — SIMATIC S7-1200 CPU 1211C AC/DC/Rly 6.5 Medium2025-02-11

Vulnerabilities classified as CWE-1286 represent 55 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.