VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 6 of 15
  • CVE-2026-11133MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11132MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11084MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11083MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11081MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Canvas in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11048MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: Medium)

  • CVE-2026-11036MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in DOM in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11032MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11020MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium)

  • CVE-2026-10996MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Workers in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-10937MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-47265HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then…

  • CVE-2026-40622HigMay 20, 2026
    risk 0.42cvss 7.5epss 0.00

    NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to…

  • CVE-2026-8971MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

  • CVE-2026-41886HigMay 8, 2026
    risk 0.42cvss 7.5epss 0.00

    locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled,…

  • CVE-2026-5283MedApr 1, 2026
    risk 0.42cvss 6.5epss 0.00

    Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-33697HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This vulnerability is present in both the AMD SEV-SNP and Intel TDX deployment…

  • CVE-2026-3846MedMar 10, 2026
    risk 0.42cvss 6.5epss 0.00

    Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.

  • CVE-2025-14331MedDec 9, 2025
    risk 0.42cvss 6.5epss 0.00

    Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

  • CVE-2025-42706MedOct 8, 2025
    risk 0.42cvss 6.5epss 0.00

    A logic error exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for this issue in Falcon sensor for Windows versions 7.24 and above and all Long…