VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 1 of 15
  • CVE-2015-4495HigKEVAug 8, 2015
    risk 0.78cvss 8.8epss 0.70

    The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as…

  • CVE-2026-42901CriMay 22, 2026
    risk 0.65cvss 10.0epss 0.00

    Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-34291HigKEVDec 5, 2025
    risk 0.65cvss 8.8epss 0.79

    Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as…

  • CVE-2025-9265CriOct 13, 2025
    risk 0.65cvss epss 0.00

    A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in…

  • CVE-2026-6508CriMay 7, 2026
    risk 0.64cvss 9.8epss 0.00

    Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2.

  • CVE-2026-2790CriFeb 24, 2026
    risk 0.64cvss 9.8epss 0.00

    Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

  • CVE-2025-30466CriMay 29, 2025
    risk 0.64cvss 9.8epss 0.00

    This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. A website may be able to bypass Same Origin Policy.

  • CVE-2024-10534CriNov 15, 2024
    risk 0.64cvss 9.8epss 0.00

    Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) allows Traffic Injection. This issue affects Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS):…

  • CVE-2018-5116CriJun 11, 2018
    risk 0.64cvss 9.8epss 0.01

    WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin user…

  • CVE-2017-13274CriApr 4, 2018
    risk 0.64cvss 9.8epss 0.01

    In the getHost() function of UriTest.java, there is the possibility of incorrect web origin determination. This could lead to incorrect security decisions with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions:…

  • CVE-2003-0174CriMay 12, 2003
    risk 0.64cvss 9.8epss 0.01

    The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password.

  • CVE-2000-1218CriApr 14, 2000
    risk 0.64cvss 9.8epss 0.06

    The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.

  • CVE-2026-8950CriMay 19, 2026
    risk 0.60cvss 9.3epss 0.00

    Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

  • CVE-2025-3651CriApr 17, 2025
    risk 0.60cvss epss 0.00

    Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier allows attackers to execute arbitrary commands via unauthorized access to the Agent service.  This has been remediated in Work Desktop for Mac version 10.8.2.33.

  • CVE-2026-12304CriJun 16, 2026
    risk 0.59cvss 9.1epss 0.00

    Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2018-5400CriOct 8, 2018
    risk 0.59cvss 9.1epss 0.01

    The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. The originating device sends a message in plaintext, 48:65:6c:6c:6f:20:57:6f:72:6c:64, "Hello World" over UDP ports 44444-44446…

  • CVE-2017-6519CriMay 1, 2017
    risk 0.59cvss 9.1epss 0.03

    avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially…

  • CVE-2026-44649CriMay 29, 2026
    risk 0.57cvss 9.8epss 0.00

    SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik)…

  • CVE-2022-50975HigFeb 2, 2026
    risk 0.57cvss 8.8epss 0.00

    An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled.

  • CVE-2024-45352HigMar 27, 2025
    risk 0.57cvss 8.8epss 0.00

    An code execution vulnerability exists in the Xiaomi smarthome application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.