CVEbaza.plCWE DictionaryCWE-346
Common Weakness Enumeration

CWE-346

Origin Validation Error

Category: ClassCVE: 662
Description

The product does not properly verify that the source of data or communication is valid.

CVE vulnerabilities with CWE-346 (662)
10.0
CVSS
CRITICAL
CVE-2026-42901

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

pub. 2026-05-22
10.0
CVSS
CRITICAL
CVE-2025-9265

A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in Firmware version later than 2.02.0246

pub. 2025-10-13
10.0
CVSS
CRITICAL
CVE-2021-37705

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.

pub. 2021-08-13
9.9
CVSS
CRITICAL
CVE-2024-32764

A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later

pub. 2024-04-26
9.8
CVSS
CRITICAL
CVE-2026-44649

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.

pub. 2026-05-29
9.8
CVSS
CRITICAL
CVE-2026-6508

Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2.

pub. 2026-05-07
9.8
CVSS
CRITICAL
CVE-2026-2790

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

pub. 2026-02-24
9.8
CVSS
CRITICAL
CVE-2025-69258

A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations.

pub. 2026-01-08
9.8
CVSS
CRITICAL
CVE-2025-30466

This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. A website may be able to bypass Same Origin Policy.

pub. 2025-05-29
9.8
CVSS
CRITICAL
CVE-2024-8487

A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.

pub. 2025-03-20
9.8
CVSS
CRITICAL
CVE-2024-9392

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

pub. 2024-10-01
9.8
CVSS
CRITICAL
CVE-2021-47157

The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling.

pub. 2024-03-18
9.8
CVSS
CRITICAL
CVE-2023-29711

An incorrect access control issue was discovered in Interlink PSG-5124 version 1.0.4, allows attackers to execute arbitrary code via crafted GET request.

pub. 2023-06-22
9.8
CVSS
CRITICAL
CVE-2023-25366

In Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS, insecure SCPI interface discloses web password.

pub. 2023-06-16
9.8
CVSS
CRITICAL
CVE-2023-33443

Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints.

pub. 2023-06-08
9.8
CVSS
CRITICAL
CVE-2023-29728

The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack.

pub. 2023-05-30
9.8
CVSS
CRITICAL
CVE-2017-20146

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

pub. 2022-12-27
9.8
CVSS
CRITICAL
CVE-2022-3457

Origin Validation Error in GitHub repository ikus060/rdiffweb prior to 2.5.0a5.

pub. 2022-10-13
9.8
CVSS
CRITICAL
CVE-2020-26527

An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.

pub. 2020-10-02
9.8
CVSS
CRITICAL
CVE-2019-4640

IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046.

pub. 2020-02-19
Showing 20 of 662 vulnerabilities
Information
ID: CWE-346
Type: Class
Vulnerabilities: 662
MITRE CWE ↗
← CWE Dictionary