CWE-184: Incomplete List of Disallowed Inputs
low-riskThe product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Abstraction: Base
Common Consequences
Access Control
→
Bypass Protection Mechanism
Detection Methods
Black Box
Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-5217 | 9.8 | 94.1% | Y |
| CVE-2017-7525 | 9.8 | 79.3% | — |
| CVE-2018-7489 | 9.8 | 36.2% | — |
| CVE-2024-30103 | 8.8 | 15.1% | — |
| CVE-2025-1716 | 9.8 | 14.4% | — |
| CVE-2018-6383 | 8.8 | 12.7% | — |
| CVE-2017-15095 | 9.8 | 8.6% | — |
| CVE-2023-34253 | 8.8 | 2.1% | — |
| CVE-2018-5968 | 8.1 | 2.0% | — |
| CVE-2020-14372 | 7.5 | 1.9% | — |
6
/ 100
low-risk
Active Threat
6/50 · Minimal
Exploit Availability
0/50 · Minimal