CVEbaza.plSłownik CWECWE-474
Common Weakness Enumeration

CWE-474

Use of Function with Inconsistent Implementations

Kategoria: BaseCVE: 13
Opis

Kod wykorzystuje funkcję, która ma niespójne implementacje na różnych systemach operacyjnych i wersjach. Może to prowadzić do nieprzewidywalnego zachowania lub błędów bezpieczeństwa w zależności od środowiska wykonania.

Description (EN)

The code uses a function that has inconsistent implementations across operating systems and versions.

Podatności CVE z CWE-474 (13)
8.8
CVSS
HIGH
CVE-2026-11102

Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)

pub. 2026-06-04
8.8
CVSS
HIGH
CVE-2026-0902

Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

pub. 2026-01-20
8.8
CVSS
HIGH
CVE-2024-5836

Inappropriate Implementation in DevTools in Google Chrome prior to 126.0.6478.54 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High)

pub. 2024-06-11
8.0
CVSS
HIGH
CVE-2026-24010

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.

pub. 2026-01-22
7.8
CVSS
HIGH
CVE-2024-1694

Inappropriate implementation in Google Updator prior to 1.3.36.351 in Google Chrome allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: High)

pub. 2024-06-07
7.1
CVSS
HIGH
CVE-2026-25960

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

pub. 2026-03-09
6.5
CVSS
MEDIUM
CVE-2026-11097

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

pub. 2026-06-04
6.5
CVSS
MEDIUM
CVE-2024-5839

Inappropriate Implementation in Memory Allocator in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

pub. 2024-06-11
5.4
CVSS
MEDIUM
CVE-2024-1672

Inappropriate implementation in Content Security Policy in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

pub. 2024-02-21
5.3
CVSS
MEDIUM
CVE-2021-0294

A vulnerability in Juniper Networks Junos OS, which only affects the release 18.4R2-S5, where a function is inconsistently implemented on Juniper Networks Junos QFX5000 Series and EX4600 Series, and if "storm-control enhanced" is configured, can lead to the enhanced storm control filter group not be installed. It will cause storm control not to work hence allowing an attacker to cause high CPU usage or packet loss issues by sending a large amount of broadcast or unknown unicast packets arriving the device. This issue affects Juniper Networks QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600, and EX4650, and QFX5100 with QFX 5e Series image installed. QFX5130 and QFX5220 are not affected from this issue. This issue affects Juniper Networks Junos OS 18.4R2-S5 on QFX5000 Series and EX4600 Series. No other product or platform is affected by this vulnerability.

pub. 2021-07-15
4.3
CVSS
MEDIUM
CVE-2024-7001

Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

pub. 2024-08-06
4.3
CVSS
MEDIUM
CVE-2024-2628

Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL. (Chromium security severity: Medium)

pub. 2024-03-20
2.9
CVSS
LOW
CVE-2026-39894

Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks metric values with is_numeric() and concatenates them into the RRDtool update command via PHP string interpolation. PHP's string cast of floats is locale-sensitive: if LC_NUMERIC uses comma as decimal separator (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as decimal separator, causing metric data to shift into wrong columns or be silently dropped. No setlocale() reset is present in the update path. This causes a data integrity issue, but is not remotely exploitable; it requires server locale misconfiguration. The issue has been fixed in version 1.2.31.

pub. 2026-06-24
Informacje
ID: CWE-474
Typ: Base
Podatności: 13
MITRE CWE ↗
← Słownik CWE