Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-436 (解释冲突) — Vulnerability Class 45

45 vulnerabilities classified as CWE-436 (解释冲突). AI Chinese analysis included.

CWE-436, Interpretation Conflict, is a design weakness occurring when two interacting components, such as a client and server or an intermediary proxy, interpret the same input or state differently. This discrepancy typically arises in security appliances like firewalls or anti-virus software that modify traffic based on conflicting expectations of protocol behavior. Attackers exploit this by crafting malicious payloads that trigger divergent interpretations, causing the security device to permit harmful data or the target system to execute unintended actions. To mitigate this risk, developers must ensure consistent parsing logic across all interacting components. Implementing strict, unified protocol standards and rigorous validation checks at every processing stage helps eliminate ambiguity. Additionally, thorough integration testing that simulates edge-case scenarios can reveal interpretation mismatches before deployment, ensuring that all entities in the communication chain process data uniformly and securely.

MITRE CWE Description
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.
Common Consequences (1)
Integrity, OtherUnexpected State, Varies by Context
Examples (2)
The paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" [REF-428] shows that OSes varied widely in how they manage unusual packets, which made it difficult or impossible for intrusion detection systems to properly detect certain attacker manipulations that took advantage of these OS differences.
Null characters have different interpretations in Perl and C, which have security consequences when Perl invokes C functions. Similar problems have been reported in ASP [REF-429] and PHP.
CVE IDTitleCVSSSeverityPublished
CVE-2026-42273 Heimdall: Case-sensitive host matching may lead to policy bypass — heimdall 5.3AIMediumAI2026-05-08
CVE-2026-42272 Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation — heimdall 9.1AICriticalAI2026-05-08
CVE-2026-30246 github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters — fiber 6.5 Medium2026-05-05
CVE-2026-6322 fast-uri vulnerable to host confusion via percent-encoded authority delimiters — fast-uri 7.5 High2026-05-05
CVE-2026-41248 Official Clerk JavaScript SDKs: Middleware-based route protection bypass — astro 9.1 Critical2026-04-24
CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option — @fastify/middie 7.4 High2026-04-16
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes — @fastify/middie 9.1 Critical2026-04-16
CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes — @fastify/express 9.1 Critical2026-04-15
CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) — @fastify/express 9.1 -2026-04-15
CVE-2026-35200 Parse Server has a file upload Content-Type override via extension mismatch — parse-server 8.2AIHighAI2026-04-06
CVE-2026-32762 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing — rack 4.8 Medium2026-04-02
CVE-2026-26961 Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass — rack 3.7 Low2026-04-02
CVE-2026-32065 OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution — OpenClaw 4.8 Medium2026-03-21
CVE-2026-32052 OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers — OpenClaw 6.4 Medium2026-03-21
CVE-2026-32766 astral-tokio-tar insufficiently validates PAX extensions during extraction — tokio-tar 9.1 -2026-03-20
CVE-2026-27444 Header Email Address Parsing — Secure Email Gateway 9.1AICriticalAI2026-03-04
CVE-2026-0958 Interpretation Conflict in GitLab — GitLab 7.5 High2026-02-11
CVE-2026-25223 Fastify's Content-Type header tab character allows body validation bypass — fastify 7.5 High2026-02-03
CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules — traefik 9.8AICriticalAI2025-12-09
CVE-2025-54368 uv is vulnerable to ZIP payload obfuscation through parsing differentials — uv 9.1 -2025-08-08
CVE-2025-48384 Git allows arbitrary code execution through broken config quoting — git 8.1 High2025-07-08
CVE-2025-24013 CodeIgniter validation of header name and value — CodeIgniter4 5.3 Medium2025-01-20
CVE-2024-20293 Cisco Firepower Threat Defense和Cisco Adaptive Security Appliance 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 5.8 Medium2024-05-22
CVE-2023-39481 Softing Secure Integration Server Interpretation Conflict Remote Code Execution Vulnerability — Secure Integration Server 8.8 -2024-05-03
CVE-2024-3386 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended — PAN-OS 5.3 Medium2024-04-10
CVE-2024-29034 CarrierWave's Content-Type allowlist bypass vulnerability which possibly leads to XSS remained — carrierwave 6.8 Medium2024-03-24
CVE-2024-24754 Bref Body Parsing Inconsistency in Event-Driven Functions — bref 3.7 Low2024-02-01
CVE-2024-24753 Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2 — bref 4.8 Medium2024-02-01
CVE-2023-49284 Command substitution output can trigger shell expansion in fish shell — fish-shell 3.9 Low2023-12-04
CVE-2023-40718 Fortinet FortiOS IPS Engine 安全漏洞 — IPS Engine 6.7 High2023-10-10

Vulnerabilities classified as CWE-436 (解释冲突) represent 45 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.