VYPR

CWE-830

Inclusion of Web Functionality from an Untrusted Source

VariantIncomplete

Description

The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (6)

  • CVE-2025-65109HigNov 21, 2025
    risk 0.55cvss epss 0.00

    Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not…

  • CVE-2024-42381HigJul 31, 2024
    risk 0.47cvss 8.3epss 0.01

    os/linux/elf.rb in Homebrew brew before 4.2.20 uses ldd to load ELF files obtained from untrusted sources, which allows attackers to achieve code execution via an ELF file with a custom .interp section. NOTE: this code execution would occur during an un-sandboxed binary…

  • CVE-2025-46652MedApr 26, 2025
    risk 0.40cvss 6.1epss 0.00

    In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. NOTE: this is disputed because Mark-of-the-Web propagation can…

  • CVE-2025-33028MedApr 15, 2025
    risk 0.33cvss 6.1epss 0.00

    In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to…

  • CVE-2025-64496Nov 8, 2025
    risk 0.00cvss epss 0.08

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in…

  • CVE-2024-35180May 21, 2024
    risk 0.00cvss epss 0.00

    OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.