VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 13 of 15
  • CVE-2026-27192Feb 21, 2026
    risk 0.00cvss epss 0.00

    Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix…

  • CVE-2026-27004Feb 19, 2026
    risk 0.00cvss epss 0.00

    OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a…

  • CVE-2026-22030Jan 10, 2026
    risk 0.00cvss epss 0.00

    React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in…

  • CVE-2025-62250Oct 21, 2025
    risk 0.00cvss epss 0.00

    Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious…

  • CVE-2025-56648Sep 17, 2025
    risk 0.00cvss epss 0.00

    npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

  • CVE-2025-9636Sep 4, 2025
    risk 0.00cvss epss 0.00

    pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.

  • CVE-2025-30360Jun 3, 2025
    risk 0.00cvss epss 0.00

    webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked…

  • CVE-2024-8487Mar 20, 2025
    risk 0.00cvss epss 0.00

    A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead…

  • CVE-2024-6844Mar 20, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads…

  • CVE-2025-25302Mar 3, 2025
    risk 0.00cvss epss 0.00

    Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be…

  • CVE-2025-24010Jan 20, 2025
    risk 0.00cvss epss 0.00

    Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in…

  • CVE-2024-53866Dec 10, 2024
    risk 0.00cvss epss 0.01

    The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data…

  • CVE-2024-47084Oct 10, 2024
    risk 0.00cvss epss 0.00

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized…

  • CVE-2024-47165Oct 10, 2024
    risk 0.00cvss epss 0.00

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows…

  • CVE-2024-41926Aug 1, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another…

  • CVE-2024-36421Jul 1, 2024
    risk 0.00cvss epss 0.09

    Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration…

  • CVE-2024-28224Apr 8, 2024
    risk 0.00cvss epss 0.00

    Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

  • CVE-2024-25124Feb 21, 2024
    risk 0.00cvss epss 0.01

    Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header…

  • CVE-2024-26135Feb 20, 2024
    risk 0.00cvss epss 0.00

    MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server.…

  • CVE-2024-24557Feb 1, 2024
    risk 0.00cvss epss 0.00

    Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not…