VYPR

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

ClassDraft

Description

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-219 · CAPEC-465

CVEs mapped to this weakness (50)

page 1 of 3
  • CVE-2026-39906CriApr 14, 2026
    risk 0.65cvss 10.0epss 0.01

    Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through…

  • CVE-2026-23751CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint…

  • CVE-2025-68667CriDec 23, 2025
    risk 0.64cvss epss 0.01

    Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to…

  • CVE-2025-64125CriJan 3, 2026
    risk 0.61cvss epss 0.00

    A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue.

  • CVE-2026-24471CriFeb 2, 2026
    risk 0.60cvss epss 0.00

    continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or…

  • CVE-2015-2947CriApr 13, 2017
    risk 0.59cvss 9.1epss 0.01

    KanColleViewer versions 3.8.1 and earlier operates as an open proxy which allows remote attackers to trigger outbound network traffic.

  • CVE-2026-36608HigJun 3, 2026
    risk 0.57cvss 8.8epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose…

  • CVE-2025-62718CriApr 9, 2026
    risk 0.57cvss 9.9epss 0.01

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip…

  • CVE-2025-11393HigDec 15, 2025
    risk 0.57cvss 8.7epss 0.00

    A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to…

  • CVE-2026-42313HigMay 11, 2026
    risk 0.54cvss 8.3epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist…

  • CVE-2026-7381CriApr 29, 2026
    risk 0.52cvss 9.1epss 0.00

    Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware…

  • CVE-2026-0098HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-48570HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

  • CVE-2026-44494HigJun 11, 2026
    risk 0.50cvss 8.7epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full…

  • CVE-2025-47269HigMay 9, 2025
    risk 0.50cvss 8.3epss 0.34

    code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can…

  • CVE-2023-31313HigFeb 12, 2026
    risk 0.47cvss 7.2epss 0.00

    An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attacker to send malformed messages to the system management unit (SMU) potentially resulting in arbitrary code execution.

  • CVE-2026-40868HigApr 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an…

  • CVE-2025-23217HigFeb 6, 2025
    risk 0.46cvss epss 0.01

    mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to…

  • CVE-2026-55225impJun 17, 2026
    risk 0.45cvss 8.0epss

    strimzi-cluster-operator: Cross-namespace privilege escalation via Kafka.spec.entityOperator.watchedNamespace in Strimzi

  • CVE-2026-49821HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace…