CWE•Base•Draft•20 recent CVEs
CWE-472External Control of Assumed-Immutable Web Parameter
Description
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
[object Object]
Common consequences
- Integrity→Modify Application DataWithout appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security
Potential mitigations
- Implementation[object Object]
- ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-116785.32026-06-09CVE-2026-116695.32026-06-09CVE-2026-116552026-06-09CVE-2026-116402026-06-09CVE-2026-112905.02026-06-05CVE-2026-112815.02026-06-05CVE-2026-112118.82026-06-04CVE-2026-111718.82026-06-04CVE-2026-110889.62026-06-04CVE-2026-110858.82026-06-04CVE-2026-110587.52026-06-04CVE-2026-110446.52026-06-04CVE-2026-109878.82026-06-04CVE-2026-109868.82026-06-04CVE-2026-109658.82026-06-04CVE-2026-109648.82026-06-04CVE-2026-109638.82026-06-04CVE-2026-109248.32026-06-04CVE-2026-109218.32026-06-04CVE-2026-99988.32026-05-28