VYPR

CWE-290

Authentication Bypass by Spoofing

BaseIncomplete

Description

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-21 · CAPEC-22 · CAPEC-459 · CAPEC-461 · CAPEC-473 · CAPEC-476 · CAPEC-59 · CAPEC-60 · CAPEC-667 · CAPEC-94

CVEs mapped to this weakness (280)

page 10 of 14
  • CVE-2025-27389MedDec 5, 2025
    risk 0.33cvss epss 0.00

    A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning.

  • CVE-2026-35622MedApr 9, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on…

  • CVE-2026-34778MedApr 4, 2026
    risk 0.31cvss 5.9epss 0.00

    Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by…

  • CVE-2025-59154MedSep 15, 2025
    risk 0.31cvss 5.9epss 0.00

    Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the…

  • CVE-2020-6158MedFeb 21, 2025
    risk 0.31cvss 4.7epss 0.00

    Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user…

  • CVE-2026-39309MedMay 20, 2026
    risk 0.29cvss 5.5epss 0.00

    Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading…

  • CVE-2024-27853MedJul 29, 2024
    risk 0.29cvss 4.4epss 0.00

    This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4. A maliciously crafted ZIP archive may bypass Gatekeeper checks.

  • CVE-2025-43503MedNov 4, 2025
    risk 0.28cvss 4.3epss 0.00

    An inconsistent user interface issue was addressed with improved state management. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Visiting a malicious website may lead to user interface…

  • CVE-2025-43493MedNov 4, 2025
    risk 0.28cvss 4.3epss 0.00

    The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1. Visiting a malicious website may lead to address bar spoofing.

  • CVE-2025-32275MedApr 10, 2025
    risk 0.28cvss 4.3epss 0.00

    Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Maker survey-maker allows Identity Spoofing.This issue affects Survey Maker: from n/a through <= 5.1.6.3.

  • CVE-2025-32227MedApr 10, 2025
    risk 0.28cvss 4.3epss 0.00

    Authentication Bypass by Spoofing vulnerability in Asgaros Asgaros Forum asgaros-forum allows Identity Spoofing.This issue affects Asgaros Forum: from n/a through <= 3.0.0.

  • CVE-2024-25906MedMay 17, 2024
    risk 0.28cvss 4.3epss 0.00

    Authentication Bypass by Spoofing vulnerability in WP Happy Coders Comments Like Dislike allows Functionality Bypass.This issue affects Comments Like Dislike: from n/a through 1.2.2.

  • CVE-2018-8425MedSep 13, 2018
    risk 0.28cvss 4.3epss 0.03

    A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.

  • CVE-2018-8388MedAug 15, 2018
    risk 0.28cvss 4.3epss 0.04

    A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8383.

  • CVE-2018-8383MedAug 15, 2018
    risk 0.28cvss 4.3epss 0.06

    A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8388.

  • CVE-2026-24000MedMay 14, 2026
    risk 0.27cvss 5.3epss 0.00

    Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass…

  • CVE-2025-22223MedMar 24, 2025
    risk 0.27cvss 5.3epss 0.00

    Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.  You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on…

  • CVE-2024-49214MedOct 14, 2024
    risk 0.27cvss 5.3epss 0.01

    QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.

  • CVE-2026-39411MedApr 8, 2026
    risk 0.26cvss 5.0epss 0.00

    LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated.…

  • CVE-2025-48937MedJun 10, 2025
    risk 0.25cvss 4.9epss 0.00

    matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients,…