VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 4 of 15
  • CVE-2017-7797HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.01

    Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin. This vulnerability affects Firefox < 55.

  • CVE-2016-9902HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.01

    The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not…

  • CVE-2017-7561HigSep 13, 2017
    risk 0.49cvss 7.5epss 0.02

    Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.

  • CVE-2017-7667HigJun 12, 2017
    risk 0.49cvss 7.5epss 0.01

    Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.

  • CVE-2016-5168HigApr 21, 2017
    risk 0.49cvss 7.5epss 0.02

    Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information.

  • CVE-2014-1487HigFeb 6, 2014
    risk 0.49cvss 7.5epss 0.02

    The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error…

  • CVE-2005-0877HigMay 2, 2005
    risk 0.49cvss 7.5epss 0.02

    Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.

  • CVE-2026-27579HigFeb 21, 2026
    risk 0.48cvss 7.4epss 0.00

    CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled…

  • CVE-2025-13947HigDec 3, 2025
    risk 0.48cvss 7.4epss 0.00

    A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside…

  • CVE-2025-46737HigMay 12, 2025
    risk 0.48cvss 7.4epss 0.00

    SEL-5037 Grid Configurator contains an overly permissive Cross Origin Resource Sharing (CORS) configuration for a data gateway service in the application. This gateway service includes an API which is not properly configured to reject requests from unexpected sources.

  • CVE-2024-7819HigMar 20, 2025
    risk 0.48cvss 7.4epss 0.00

    A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized…

  • CVE-2024-11602HigMar 20, 2025
    risk 0.48cvss 7.4epss 0.00

    A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass…

  • CVE-2018-3834HigAug 2, 2018
    risk 0.48cvss 7.4epss 0.01

    An exploitable permanent denial of service vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware…

  • CVE-2026-44698HigMay 29, 2026
    risk 0.47cvss 8.3epss 0.00

    Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on…

  • CVE-2026-6662HigApr 20, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to…

  • CVE-2025-61740HigDec 22, 2025
    risk 0.47cvss epss 0.00

    Authentication issue that does not verify the source of a packet which could allow an attacker to create a denial-of-service condition or modify the configuration of the device.

  • CVE-2024-13068HigSep 3, 2025
    risk 0.47cvss 7.3epss 0.00

    Origin Validation Error vulnerability in Akinsoft LimonDesk allows Forceful Browsing. This issue affects LimonDesk: from s1.02.14 before v1.02.17.

  • CVE-2025-47909HigAug 29, 2025
    risk 0.47cvss 7.3epss 0.00

    Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com…

  • CVE-2024-31127HigJun 4, 2025
    risk 0.47cvss 7.3epss 0.00

    An improper verification of a loaded library in Zscaler Client Connector on Mac < 4.2.0.241 may allow a local attacker to elevate their privileges.

  • CVE-2026-46728HigMay 16, 2026
    risk 0.46cvss 8.2epss 0.00

    Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.