CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
907 vulnerabilities reference this CWE, most recent first.
GHSA-4W79-6W2J-FPH5
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Improper conditions check for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.110.0.5 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
{
"affected": [],
"aliases": [
"CVE-2025-20625"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T17:15:30Z",
"severity": "HIGH"
},
"details": "Improper conditions check for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.110.0.5 may allow an unauthenticated user to potentially enable denial of service via adjacent access.",
"id": "GHSA-4w79-6w2j-fph5",
"modified": "2025-08-12T18:31:27Z",
"published": "2025-08-12T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20625"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01292.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-555F-PJPV-4MJM
Vulnerability from github – Published: 2026-02-02 09:30 – Updated: 2026-02-04 15:30In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933.
{
"affected": [],
"aliases": [
"CVE-2026-20401"
],
"database_specific": {
"cwe_ids": [
"CWE-617",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T09:15:54Z",
"severity": "HIGH"
},
"details": "In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933.",
"id": "GHSA-555f-pjpv-4mjm",
"modified": "2026-02-04T15:30:28Z",
"published": "2026-02-02T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20401"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58P7-GJ75-3437
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2023-08-31 03:30DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-21439"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-14T08:15:00Z",
"severity": "MODERATE"
},
"details": "DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.",
"id": "GHSA-58p7-gj75-3437",
"modified": "2023-08-31T03:30:36Z",
"published": "2022-05-24T19:05:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21439"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2021-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-598Q-JW82-5W66
Vulnerability from github – Published: 2025-10-27 20:12 – Updated: 2025-10-27 22:31Impact
Any plugin using the GuiStorageElement is impacted.
Patches
Patched with https://github.com/Phoenix616/InventoryGui/commit/27a52ef6d934a1c232e110e0010e4aa810c27029 ("backported" to 1.6.1-SNAPSHOT) Update to 1.6.2-SNAPSHOT to guarantee that it's included!
Workarounds
Don't use the GuiStorageElement in GUIs.
References
Original issue: https://github.com/Phoenix616/InventoryGui/issues/48
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.1-SNAPSHOT"
},
"package": {
"ecosystem": "Maven",
"name": "de.themoep:inventorygui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.2-SNAPSHOT"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62783"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-837"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-27T20:12:31Z",
"nvd_published_at": "2025-10-27T21:15:38Z",
"severity": "MODERATE"
},
"details": "### Impact\nAny plugin using the `GuiStorageElement` is impacted.\n\n### Patches\nPatched with https://github.com/Phoenix616/InventoryGui/commit/27a52ef6d934a1c232e110e0010e4aa810c27029 (\"backported\" to 1.6.1-SNAPSHOT) Update to 1.6.2-SNAPSHOT to guarantee that it\u0027s included!\n\n### Workarounds\nDon\u0027t use the `GuiStorageElement` in GUIs.\n\n### References\nOriginal issue: https://github.com/Phoenix616/InventoryGui/issues/48",
"id": "GHSA-598q-jw82-5w66",
"modified": "2025-10-27T22:31:55Z",
"published": "2025-10-27T20:12:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-598q-jw82-5w66"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62783"
},
{
"type": "WEB",
"url": "https://github.com/Phoenix616/InventoryGui/issues/48"
},
{
"type": "WEB",
"url": "https://github.com/Phoenix616/InventoryGui/commit/27a52ef6d934a1c232e110e0010e4aa810c27029"
},
{
"type": "PACKAGE",
"url": "https://github.com/Phoenix616/InventoryGui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "InventoryGui affected by item duplication in GUIs which use GuiStorageElement"
}
GHSA-5C48-VFR3-8JXQ
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2023-02-03 00:30The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
{
"affected": [],
"aliases": [
"CVE-2020-15658"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-10T18:15:00Z",
"severity": "MODERATE"
},
"details": "The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR \u003c 78.1, Firefox \u003c 79, and Thunderbird \u003c 78.1.",
"id": "GHSA-5c48-vfr3-8jxq",
"modified": "2023-02-03T00:30:17Z",
"published": "2022-05-24T17:25:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15658"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1637745"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4443-1"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-32"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-33"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CGM-H8QG-5H77
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-24 21:31Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
{
"affected": [],
"aliases": [
"CVE-2026-4708"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:06Z",
"severity": "HIGH"
},
"details": "Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
"id": "GHSA-5cgm-h8qg-5h77",
"modified": "2026-03-24T21:31:22Z",
"published": "2026-03-24T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4708"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2015268"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FFG-379Q-G96F
Vulnerability from github – Published: 2021-12-18 00:00 – Updated: 2021-12-28 00:01Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.
{
"affected": [],
"aliases": [
"CVE-2021-37862"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-17T17:15:00Z",
"severity": "MODERATE"
},
"details": "Mattermost 6.0 and earlier fails to sufficiently validate the email address during registration, which allows attackers to trick users into signing up using attacker-controlled email addresses via crafted invitation token.",
"id": "GHSA-5ffg-379q-g96f",
"modified": "2021-12-28T00:01:28Z",
"published": "2021-12-18T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37862"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1357013"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5GJR-XFJ5-JPCW
Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 19:00Improper conditions check in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-26079"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Improper conditions check in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-5gjr-xfj5-jpcw",
"modified": "2022-11-16T19:00:25Z",
"published": "2022-11-11T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26079"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00683.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GMF-X7HG-97WF
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 16:58Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry. Mattermost Advisory ID: MMSA-2026-00641
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.6.0"
},
{
"fixed": "11.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"11.6.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.5.0"
},
{
"fixed": "11.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.4.0"
},
{
"fixed": "11.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20260407102538-faa7d75b4ea0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4915"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T16:58:39Z",
"nvd_published_at": "2026-05-25T08:16:24Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.6.x \u003c= 11.6.0, 11.5.x \u003c= 11.5.3, 11.4.x \u003c= 11.4.4, 10.11.x \u003c= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry. Mattermost Advisory ID: MMSA-2026-00641",
"id": "GHSA-5gmf-x7hg-97wf",
"modified": "2026-06-30T16:58:40Z",
"published": "2026-05-26T13:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4915"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/faa7d75b4ea041701e97948f8aa1332e3626a39a"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mattermost doesn\u0027t filter nil elements from outgoing webhook attachment payloads before processing"
}
GHSA-5GWV-2Q72-GXRM
Vulnerability from github – Published: 2025-04-02 21:30 – Updated: 2025-10-23 12:31OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase
{
"affected": [],
"aliases": [
"CVE-2025-2704"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-02T21:15:32Z",
"severity": "HIGH"
},
"details": "OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase",
"id": "GHSA-5gwv-2q72-gxrm",
"modified": "2025-10-23T12:31:16Z",
"published": "2025-04-02T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2704"
},
{
"type": "WEB",
"url": "https://community.openvpn.net/openvpn/wiki/CVE-2025-2704"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00142.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/04/02/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.