VYPR

CWE-346

Origin Validation Error

ClassDraft

Description

The product does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-160 · CAPEC-21 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-510 · CAPEC-59 · CAPEC-60 · CAPEC-75 · CAPEC-76 · CAPEC-89

CVEs mapped to this weakness (296)

page 8 of 15
  • CVE-2026-46685MedMay 28, 2026
    risk 0.39cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets…

  • CVE-2026-41347HigApr 23, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform…

  • CVE-2026-41057HigApr 21, 2026
    risk 0.39cvss 7.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1)…

  • CVE-2025-7365HigJul 10, 2025
    risk 0.39cvss 7.1epss 0.00

    A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to…

  • CVE-2026-55660higJun 19, 2026
    risk 0.38cvss epss

    TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific…

  • CVE-2026-50168higJun 15, 2026
    risk 0.38cvss epss 0.00

    An issue in the `@angular/platform-server` package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for…

  • CVE-2026-46701higMay 21, 2026
    risk 0.38cvss epss 0.00

    # Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) | ## Summary The…

  • CVE-2025-53399MedAug 1, 2025
    risk 0.38cvss epss 0.05

    In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP packets (except when the relay is configured for strict source and learning…

  • CVE-2017-5606MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber…

  • CVE-2017-5604MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber…

  • CVE-2017-5603MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.02

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Jitsi…

  • CVE-2017-5602MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for jappix…

  • CVE-2017-5593MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Psi+…

  • CVE-2017-5592MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for…

  • CVE-2017-5590MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for…

  • CVE-2017-5589MedFeb 9, 2017
    risk 0.38cvss 5.9epss 0.01

    An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for yaxim…

  • CVE-2026-35577MedApr 9, 2026
    risk 0.37cvss 6.8epss 0.00

    Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based…

  • CVE-2017-5646MedMay 26, 2017
    risk 0.37cvss 6.8epss 0.01

    For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit…

  • CVE-2026-22077MedApr 27, 2026
    risk 0.36cvss epss 0.00

    OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure.

  • CVE-2025-2346MedMar 16, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308 and classified as problematic. This vulnerability affects unknown code of the component Domain Handler. The manipulation of the argument Domain Name leads to origin validation error. The attack…