Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1289 — Vulnerability Class 13

13 vulnerabilities classified as CWE-1289. AI Chinese analysis included.

CWE-1289 represents a critical input validation weakness where software fails to properly verify that an input value is equivalent to a potentially unsafe resource identifier or reference. This flaw typically allows attackers to bypass security controls by crafting inputs that appear benign at the application layer but trigger dangerous behavior when processed by downstream components or lower-level systems. By exploiting discrepancies in how equivalence is interpreted across different processing stages, adversaries can execute unauthorized actions or access restricted resources. To mitigate this risk, developers must implement rigorous, consistent validation logic that explicitly checks for unsafe equivalence at every processing layer. Utilizing standardized libraries for reference comparison and ensuring that all downstream components adhere to the same strict validation rules prevents attackers from leveraging these semantic gaps to compromise system integrity.

MITRE CWE Description
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no "<script>" tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject "<ScrIpT>" and trigger XSS.
Common Consequences (1)
OtherVaries by Context
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
CVE IDTitleCVSSSeverityPublished
CVE-2026-45191 Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass — Net::CIDR::Lite 9.1AICriticalAI2026-05-10
CVE-2026-45190 Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass — Net::CIDR::Lite 7.5AIHighAI2026-05-10
CVE-2026-39972 Mercure has a Topic Selector Cache Key Collision — mercure 7.6AIHighAI2026-04-09
CVE-2026-34080 xdg-dbus-proxy has an eavesdrop filter bypass allowing message interception — xdg-dbus-proxy 5.3AIMediumAI2026-04-07
CVE-2026-22569 Incorrect startup configuration in ZCC — Zscaler Client Connector 5.4 Medium2026-03-31
CVE-2026-33496 Ory Oathkeeper has an authentication bypass by cache key confusion — oathkeeper 8.1 High2026-03-26
CVE-2026-3563 Devolutions PowerShell Universal 安全漏洞 — PowerShell Universal 7.1AIHighAI2026-03-17
CVE-2026-27610 Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions — parse-dashboard 5.3AIMediumAI2026-02-25
CVE-2026-1094 Improper Validation of Unsafe Equivalence in Input in GitLab — GitLab 4.6 Medium2026-02-11
CVE-2024-12224 idna accepts Punycode labels that do not produce any non-ASCII when decoded — rust-url 5.3AIMediumAI2025-05-30
CVE-2024-8372 AngularJS improper sanitization in 'srcset' attribute — AngularJS 4.8 Medium2024-09-09
CVE-2024-45308 MySQL & free URL mode allows to hide existing notes in hedgedoc — hedgedoc 6.5 Medium2024-09-02
CVE-2022-0675 Puppet Firewall Module May Leave Unmanaged Rules — Firewall Module 5.6 Medium2022-03-02

Vulnerabilities classified as CWE-1289 represent 13 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.