VYPR

CWE-348

Use of Less Trusted Source

BaseDraft

Description

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-141 · CAPEC-142 · CAPEC-73 · CAPEC-76 · CAPEC-85

CVEs mapped to this weakness (35)

page 1 of 2
  • CVE-2026-44183CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.00

    Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the…

  • CVE-2025-47424HigMay 9, 2025
    risk 0.46cvss 7.1epss 0.00

    Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

  • CVE-2026-43634HigMay 19, 2026
    risk 0.42cvss 7.5epss 0.00

    HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated…

  • CVE-2026-35391HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their…

  • CVE-2025-1245MedMay 16, 2025
    risk 0.42cvss 6.5epss 0.00

    Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer  (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops…

  • CVE-2025-43918MedApr 19, 2025
    risk 0.42cvss 6.4epss 0.00

    SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative…

  • CVE-2022-4532MedAug 17, 2024
    risk 0.42cvss 6.5epss 0.00

    The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions.…

  • CVE-2022-4537MedMay 9, 2023
    risk 0.42cvss 6.5epss 0.00

    The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login…

  • CVE-2026-46415higMay 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact Caddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy. In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually…

  • CVE-2026-24910MedJan 27, 2026
    risk 0.38cvss 5.9epss 0.00

    In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).

  • CVE-2020-37248MedJun 8, 2026
    risk 0.35cvss 6.5epss 0.00

    OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

  • CVE-2026-40226MedApr 10, 2026
    risk 0.35cvss 6.4epss 0.00

    In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

  • CVE-2026-35507MedApr 3, 2026
    risk 0.35cvss 6.4epss 0.00

    Shynet before 0.14.0 allows Host header injection in the password reset flow.

  • CVE-2025-13694MedJan 7, 2026
    risk 0.34cvss 5.3epss 0.00

    The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or…

  • CVE-2025-53522MedAug 20, 2025
    risk 0.34cvss 5.3epss 0.00

    Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker.

  • CVE-2025-47149MedMay 23, 2025
    risk 0.34cvss 5.3epss 0.00

    The optional feature 'Anti-Virus & Sandbox' of i-FILTER contains an issue with improper pattern file validation. If exploited, the product may treat an unauthorized pattern file as an authorized. If the product uses a specially crafted pattern file, information in the server…

  • CVE-2024-0789MedJun 19, 2024
    risk 0.34cvss 5.3epss 0.00

    The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for…

  • CVE-2026-26927MedApr 2, 2026
    risk 0.33cvss epss 0.00

    Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is…

  • CVE-2026-3635MedMar 23, 2026
    risk 0.33cvss 6.1epss 0.00

    Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any…

  • CVE-2025-32900MedDec 5, 2025
    risk 0.28cvss 4.3epss 0.00

    In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE…