VYPR

CWE-940

Improper Verification of Source of a Communication Channel

BaseIncomplete

Description

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-500 · CAPEC-594 · CAPEC-595 · CAPEC-596

CVEs mapped to this weakness (31)

page 2 of 2
  • CVE-2026-23866MedMay 1, 2026
    risk 0.28cvss 4.3epss 0.00

    Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device,…

  • CVE-2025-20365MedSep 24, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability in the IPv6 Router Advertisement (RA) packet processing of Cisco Access Point Software could allow an unauthenticated, adjacent attacker to modify the IPv6 gateway on an affected device. This vulnerability is due to a logic error in the processing of IPv6 RA…

  • CVE-2026-43880MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for…

  • CVE-2025-62439MedFeb 10, 2026
    risk 0.27cvss 4.2epss 0.00

    An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions may allow an authenticated user with knowledge of FSSO…

  • CVE-2026-2967LowFeb 23, 2026
    risk 0.24cvss 3.7epss 0.00

    A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The…

  • CVE-2025-42978LowJul 8, 2025
    risk 0.23cvss 3.5epss 0.00

    The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might…

  • CVE-2025-0036LowJun 10, 2025
    risk 0.21cvss 3.2epss 0.00

    In AMD Versal Adaptive SoC devices, the incorrect configuration of the SSS during runtime (post-boot) cryptographic operations could cause data to be incorrectly written to and read from invalid locations as well as returning incorrect cryptographic data.

  • CVE-2026-48022Jun 11, 2026
    risk 0.00cvss epss 0.00

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes…

  • CVE-2022-4848Dec 29, 2022
    risk 0.00cvss epss 0.01

    Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-4800Dec 28, 2022
    risk 0.00cvss epss 0.01

    Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2021-41038Nov 10, 2021
    risk 0.00cvss epss 0.01

    In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().