The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

What CVEs are caused by CWE-183?

26 recorded CVEs are attributed to CWE-183, including CVE-2026-29514, CVE-2026-46391, CVE-2025-53762.

How is CWE-183 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-183?

Exploiting CWE-183 can lead to: Bypass Protection Mechanism.

Is CWE-183 actively exploited?

26 recorded CVEs are caused by CWE-183; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-183: Permissive List of Allowed Inputs (Allowlist / Allow List)

Real-world CVEs

26 recorded CVEs are caused by CWE-183 (Permissive List of Allowed Inputs). The highest-severity and most recent are shown first. 13 new CWE-183 CVEs have been recorded so far in 2026 (1 in 2025).

CVE-2026-29514
NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin
High · CVSS 8.8 · EPSS 23th
2026-05-04
CVE-2026-46391
HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis
High · CVSS 8.7 · EPSS 5th
2026-06-05
CVE-2025-53762
Microsoft Purview Elevation of Privilege Vulnerability
High · CVSS 8.7 · EPSS 83th
2025-07-18
CVE-2026-41387
OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization
High · CVSS 8.5 · EPSS 6th
2026-04-28
CVE-2026-21915
JSI Virtual Lightweight Collector: Shell escape allows privilege escalation to root
High · CVSS 8.4 · EPSS 11th
2026-04-09
CVE-2026-40899
DataEase has an Arbitrary File Read Vulnerability
High · CVSS 8.3 · EPSS 3th
2026-04-16
CVE-2026-33979
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
High · CVSS 8.2 · EPSS 6th
2026-03-27
CVE-2024-1654
High · CVSS 7.2 · EPSS 89th
2024-03-14
CVE-2026-2303
Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak
Medium · CVSS 6.9 · EPSS 20th
2026-02-10
CVE-2026-2302
Unsafe Reflection in Mongoid::Criteria.from_hash
Medium · CVSS 6.9 · EPSS 13th
2026-02-10
CVE-2022-34450
Medium · CVSS 6.7 · EPSS 25th
2023-02-10
CVE-2023-4399
Medium · CVSS 6.6 · EPSS 16th
2023-10-17

Showing 12 of 26 recorded CWE-183 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-183 vulnerabilities

CWE-183: Permissive List of Allowed Inputs (Allowlist / Allow List)

Real-world CVEs

CWE-183: Permissive List of Allowed Inputs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-183?

What CVEs are caused by CWE-183?

How is CWE-183 detected?

What are the consequences of CWE-183?

Is CWE-183 actively exploited?

References

Stay ahead of CWE-183

Real-world CVEs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Child

Peer

Can precede

Related

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-183?

What CVEs are caused by CWE-183?

How is CWE-183 detected?

What are the consequences of CWE-183?

Is CWE-183 actively exploited?

References

Stay ahead of CWE-183