VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 11 of 15
  • CVE-2024-45353MedMar 27, 2025
    risk 0.28cvss 4.3epss 0.00

    An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction.

  • CVE-2024-45495MedNov 29, 2024
    risk 0.28cvss 4.3epss 0.00

    MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking.

  • CVE-2023-2886MedMay 25, 2023
    risk 0.28cvss 4.3epss 0.00

    Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation. This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

  • CVE-2018-8235MedJun 14, 2018
    risk 0.28cvss 4.3epss 0.03

    A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.

  • CVE-2018-8112MedMay 9, 2018
    risk 0.28cvss 4.3epss 0.03

    A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.

  • CVE-2017-8523MedJun 15, 2017
    risk 0.28cvss 4.3epss 0.01

    Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser…

  • CVE-2026-9595MedJun 15, 2026
    risk 0.27cvss 5.3epss 0.00

    Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev…

  • CVE-2025-1787MedFeb 24, 2026
    risk 0.27cvss 4.2epss 0.00

    Local admin could to leak information from the Genetec Update Service configuration web page. An authenticated, admin privileged, Windows user could exploit this vulnerability to gain elevated privileges in the Genetec Update Service. Could be combined with CVE-2025-1789 to…

  • CVE-2026-27118MedFeb 20, 2026
    risk 0.27cvss epss 0.00

    SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible…

  • CVE-2026-45021MedMay 28, 2026
    risk 0.26cvss epss 0.00

    Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the…

  • CVE-2026-41393MedApr 28, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation.

  • CVE-2025-5320LowMay 29, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the component CORS Handler. The manipulation of the argument localhost_aliases leads to erweiterte Rechte. It is possible to initiate the…

  • CVE-2026-41398MedApr 28, 2026
    risk 0.23cvss 4.6epss 0.00

    OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.request runs by loading attacker-controlled pages from local-network or tailnet…

  • CVE-2026-2345LowFeb 11, 2026
    risk 0.23cvss 3.6epss 0.00

    Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes…

  • CVE-2026-7439MedApr 29, 2026
    risk 0.22cvss 4.4epss 0.00

    AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this…

  • CVE-2026-6339MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown…

  • CVE-2026-7581MedMay 1, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to…

  • CVE-2026-34720MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and…

  • CVE-2026-12032LowJun 11, 2026
    risk 0.20cvss 3.1epss 0.00

    Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-46611medJun 22, 2026
    risk 0.19cvss epss 0.00

    ### Summary The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP…