CWE-348
Use of Less Trusted Source
Description
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-141 · CAPEC-142 · CAPEC-73 · CAPEC-76 · CAPEC-85
CVEs mapped to this weakness (35)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44183 | — | Cri | 0.64 | 9.8 | 0.00 | May 12, 2026 | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the… | |
| CVE-2025-47424 | Hig | 0.46 | 7.1 | 0.00 | May 9, 2025 | Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated. | ||
| CVE-2026-43634 | Hig | 0.42 | 7.5 | 0.00 | May 19, 2026 | HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated… | ||
| CVE-2026-35391 | Hig | 0.42 | 7.5 | 0.00 | Apr 6, 2026 | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their… | ||
| CVE-2025-1245 | Med | 0.42 | 6.5 | 0.00 | May 16, 2025 | Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops… | ||
| CVE-2025-43918 | Med | 0.42 | 6.4 | 0.00 | Apr 19, 2025 | SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative… | ||
| CVE-2022-4532 | Med | 0.42 | 6.5 | 0.00 | Aug 17, 2024 | The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions.… | ||
| CVE-2022-4537 | Med | 0.42 | 6.5 | 0.00 | May 9, 2023 | The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login… | ||
| CVE-2026-46415 | — | hig | 0.38 | — | 0.00 | May 19, 2026 | ### Impact Caddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy. In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually… | |
| CVE-2026-24910 | Med | 0.38 | 5.9 | 0.00 | Jan 27, 2026 | In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github). | ||
| CVE-2020-37248 | Med | 0.35 | 6.5 | 0.00 | Jun 8, 2026 | OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext. | ||
| CVE-2026-40226 | Med | 0.35 | 6.4 | 0.00 | Apr 10, 2026 | In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. | ||
| CVE-2026-35507 | Med | 0.35 | 6.4 | 0.00 | Apr 3, 2026 | Shynet before 0.14.0 allows Host header injection in the password reset flow. | ||
| CVE-2025-13694 | Med | 0.34 | 5.3 | 0.00 | Jan 7, 2026 | The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or… | ||
| CVE-2025-53522 | Med | 0.34 | 5.3 | 0.00 | Aug 20, 2025 | Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker. | ||
| CVE-2025-47149 | — | Med | 0.34 | 5.3 | 0.00 | May 23, 2025 | The optional feature 'Anti-Virus & Sandbox' of i-FILTER contains an issue with improper pattern file validation. If exploited, the product may treat an unauthorized pattern file as an authorized. If the product uses a specially crafted pattern file, information in the server… | |
| CVE-2024-0789 | Med | 0.34 | 5.3 | 0.00 | Jun 19, 2024 | The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for… | ||
| CVE-2026-26927 | Med | 0.33 | — | 0.00 | Apr 2, 2026 | Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is… | ||
| CVE-2026-3635 | Med | 0.33 | 6.1 | 0.00 | Mar 23, 2026 | Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any… | ||
| CVE-2025-32900 | Med | 0.28 | 4.3 | 0.00 | Dec 5, 2025 | In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE… |
- risk 0.64cvss 9.8epss 0.00
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the…
- risk 0.46cvss 7.1epss 0.00
Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.
- risk 0.42cvss 7.5epss 0.00
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated…
- risk 0.42cvss 7.5epss 0.00
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their…
- risk 0.42cvss 6.5epss 0.00
Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops…
- risk 0.42cvss 6.4epss 0.00
SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative…
- risk 0.42cvss 6.5epss 0.00
The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions.…
- risk 0.42cvss 6.5epss 0.00
The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login…
- risk 0.38cvss —epss 0.00
### Impact Caddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy. In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually…
- risk 0.38cvss 5.9epss 0.00
In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).
- risk 0.35cvss 6.5epss 0.00
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
- risk 0.35cvss 6.4epss 0.00
In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.
- risk 0.35cvss 6.4epss 0.00
Shynet before 0.14.0 allows Host header injection in the password reset flow.
- risk 0.34cvss 5.3epss 0.00
The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or…
- risk 0.34cvss 5.3epss 0.00
Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker.
- risk 0.34cvss 5.3epss 0.00
The optional feature 'Anti-Virus & Sandbox' of i-FILTER contains an issue with improper pattern file validation. If exploited, the product may treat an unauthorized pattern file as an authorized. If the product uses a specially crafted pattern file, information in the server…
- risk 0.34cvss 5.3epss 0.00
The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for…
- risk 0.33cvss —epss 0.00
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is…
- risk 0.33cvss 6.1epss 0.00
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any…
- risk 0.28cvss 4.3epss 0.00
In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE…