VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 5 of 16
  • CVE-2026-30603MedApr 2, 2026
    risk 0.44cvss 6.8epss 0.00

    An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.

  • CVE-2025-56438MedOct 24, 2025
    risk 0.44cvss 6.8epss 0.00

    An issue in the firmware update mechanism of Nous W3 Smart WiFi Camera v1.33.50.82 allows unauthenticated and physically proximate attackers to escalate privileges to root via supplying a crafted update.tar archive file stored on a FAT32-formatted SD card.

  • CVE-2024-52548MedDec 3, 2024
    risk 0.44cvss 6.7epss 0.00

    An attacker who can execute arbitrary Operating Systems commands, can bypass code signing enforcements in the kernel, and execute arbitrary native code. This vulnerability has been resolved in firmware version 2.800.0000000.8.R.20241111.

  • CVE-2026-53899MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.

  • CVE-2026-47777HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could…

  • CVE-2026-41577HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This…

  • CVE-2026-47123HigMay 29, 2026
    risk 0.42cvss 7.5epss 0.00

    FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The…

  • CVE-2026-45022HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded…

  • CVE-2026-42575HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is…

  • CVE-2026-35042HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the…

  • CVE-2026-32597HigMar 13, 2026
    risk 0.42cvss 7.5epss 0.00

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token…

  • CVE-2026-21527MedFeb 10, 2026
    risk 0.42cvss 6.5epss 0.09

    User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-59024MedFeb 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Crafted delegations or IP fragments can poison cached delegations in Recursor.

  • CVE-2025-53548HigJul 9, 2025
    risk 0.42cvss 7.5epss 0.00

    Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.

  • CVE-2025-0510MedFeb 4, 2025
    risk 0.42cvss 6.5epss 0.00

    Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.

  • CVE-2024-33494MedMay 14, 2024
    risk 0.42cvss 6.5epss 0.00

    A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating…

  • CVE-2023-48238HigNov 17, 2023
    risk 0.42cvss 7.5epss 0.00

    joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens (JWT) which are a compact URL-safe means of representing claims to be transferred between two parties. Versions prior to 4.0.0 are vulnerable to a JWT algorithm confusion attack. On line…

  • CVE-2022-4537MedMay 9, 2023
    risk 0.42cvss 6.5epss 0.00

    The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login…

  • CVE-2019-8921MedNov 29, 2021
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting…

  • CVE-2016-3677MedJun 13, 2016
    risk 0.42cvss 6.5epss 0.00

    The Huawei Wear App application before 15.0.0.307 for Android does not validate SSL certificates, which allows local users to have unspecified impact via unknown vectors, aka HWPSIRT-2016-03008.