CWE-830
Inclusion of Web Functionality from an Untrusted Source
Description
The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-65109 | Hig | 0.55 | — | 0.00 | Nov 21, 2025 | Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not… | ||
| CVE-2024-42381 | Hig | 0.47 | 8.3 | 0.01 | Jul 31, 2024 | os/linux/elf.rb in Homebrew brew before 4.2.20 uses ldd to load ELF files obtained from untrusted sources, which allows attackers to achieve code execution via an ELF file with a custom .interp section. NOTE: this code execution would occur during an un-sandboxed binary… | ||
| CVE-2025-46652 | Med | 0.40 | 6.1 | 0.00 | Apr 26, 2025 | In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. NOTE: this is disputed because Mark-of-the-Web propagation can… | ||
| CVE-2025-33028 | Med | 0.33 | 6.1 | 0.00 | Apr 15, 2025 | In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to… | ||
| CVE-2025-64496 | 0.00 | — | 0.08 | Nov 8, 2025 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in… | |||
| CVE-2024-35180 | 0.00 | — | 0.00 | May 21, 2024 | OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0. |
- risk 0.55cvss —epss 0.00
Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not…
- risk 0.47cvss 8.3epss 0.01
os/linux/elf.rb in Homebrew brew before 4.2.20 uses ldd to load ELF files obtained from untrusted sources, which allows attackers to achieve code execution via an ELF file with a custom .interp section. NOTE: this code execution would occur during an un-sandboxed binary…
- risk 0.40cvss 6.1epss 0.00
In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. NOTE: this is disputed because Mark-of-the-Web propagation can…
- risk 0.33cvss 6.1epss 0.00
In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to…
- CVE-2025-64496Nov 8, 2025risk 0.00cvss —epss 0.08
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in…
- CVE-2024-35180May 21, 2024risk 0.00cvss —epss 0.00
OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.