Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1286 — Vulnerability Class 55

55 vulnerabilities classified as CWE-1286. AI Chinese analysis included.

CWE-1286 represents a critical input validation weakness where software fails to verify that incoming data adheres to its expected syntactic structure. Attackers typically exploit this flaw by injecting malformed or syntactically incorrect payloads, such as broken JSON, XML, or HTTP headers, which the application processes without proper checks. This oversight can lead to severe consequences, including injection attacks, parsing errors, or unexpected application behavior that may be leveraged for further exploitation. To mitigate this risk, developers must implement rigorous validation routines that strictly enforce syntax rules before processing any input. Utilizing robust parsing libraries, defining clear schema definitions, and rejecting any data that deviates from the expected format are essential practices. By ensuring syntactic correctness early in the pipeline, organizations can prevent malformed data from triggering vulnerabilities and maintain system integrity against adversarial inputs.

MITRE CWE Description
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax.
Common Consequences (1)
OtherVaries by Context
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
Examples (1)
The following code loads and parses an XML file.
// Read DOM try { ... DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setValidating( false ); .... c_dom = factory.newDocumentBuilder().parse( xmlFile ); } catch(Exception ex) { ... }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-0638 Routinator crashes when illegal characters are present in manifest file names — Routinator 7.5 High2025-01-22
CVE-2024-8160 AXIS OS 安全漏洞 — AXIS OS 3.8 Low2024-11-26
CVE-2024-8772 AXIS OS 安全漏洞 — AXIS OS 4.3 Medium2024-11-26
CVE-2024-6763 Jetty URI parsing of invalid authority — Jetty 3.7 Low2024-10-14
CVE-2024-6173 AXIS OS 安全漏洞 — AXIS OS 6.5 Medium2024-09-10
CVE-2024-6284 Improper IPv4 and IPv6 byte order storage in github.com/google/nftables — https://github.com/google/nftables 5.3AIMediumAI2024-07-03
CVE-2024-21598 Junos OS and Junos OS Evolved: A malformed BGP tunnel encapsulation attribute will lead to an rpd crash — Junos OS 7.5 High2024-04-12
CVE-2024-3384 PAN-OS: Firewall Denial of Service (DoS) via Malformed NTLM Packets — PAN-OS 7.5 High2024-04-10
CVE-2024-0218 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1 — Guardian 7.5 High2024-04-10
CVE-2023-6950 DJI Mavic 安全漏洞 — Mini 3 Pro 3.0 Low2024-04-02
CVE-2024-21616 Junos OS: MX Series and SRX Series: Processing of a specific SIP packet causes NAT IP allocation to fail — Junos OS 7.5 High2024-01-12
CVE-2024-21595 Junos OS: EX4100, EX4400, EX4600, QFX5000 Series: A high rate of specific ICMP traffic will cause the PFE to hang — Junos OS 7.5 High2024-01-12
CVE-2023-44204 Junos OS and Junos OS Evolved: The rpd will crash upon receiving a malformed BGP UPDATE message — Junos OS 6.5 Medium2023-10-12
CVE-2023-32649 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 — Guardian 7.5 High2023-09-19
CVE-2023-23903 DoS via SAML configuration in Guardian/CMC before 22.6.2 — Guardian 4.9 Medium2023-08-09
CVE-2023-24015 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2 — Guardian 4.3 Medium2023-08-09
CVE-2023-21405 Denial-of-Service vulnerability in Axis Network Door Controller's and Axis Network Intercom's OSDP communication — AXIS A1001 Network Door Controller 6.5 Medium2023-07-25
CVE-2023-28985 SRX Series and MX Series: An FPC core is observed when IDP is enabled on the device and a specific malformed SSL packet is received — Junos OS 7.5 High2023-07-14
CVE-2021-44695 Siemens SIMATIC Drive Controller 输入验证错误漏洞 — SIMATIC Drive Controller CPU 1504D TF 4.9 Medium2022-12-13
CVE-2022-1941 Out of Memory issue in ProtocolBuffers for cpp and python — protobuf-cpp 7.5 -2022-09-22
CVE-2022-22176 Junos OS: In a scenario with dhcp-security and option-82 configured jdhcpd crashes upon receipt of a malformed DHCP packet — Junos OS 7.4 High2022-01-19
CVE-2021-31988 Axis Os 注入漏洞 — AXIS OS 8.8 -2021-10-05
CVE-2021-31987 Axis OS 安全漏洞 — AXIS OS 7.4 -2021-10-05
CVE-2021-28812 Command Injection Vulnerability in Video Station — Video Station 8.8 High2021-06-03
CVE-2020-16220 Philips Patient Monitoring Devices Improper Validation of Syntactic Correctness of Input — Patient Information Center iX (PICiX) 6.5 -2020-09-11

Vulnerabilities classified as CWE-1286 represent 55 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.