CWE-345— Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.— MITRE CWE catalog
583 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-345page 10 of 12
- CVE-2025-59024MEDIUMCVSS 6.5EG 6.52026-02-09
Crafted delegations or IP fragments can poison cached delegations in Recursor.
- CVE-2025-59160LOWCVSS 2.7EG 2.72025-09-16
Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to …
- CVE-2025-59420HIGHCVSS 7.5EG 7.52025-09-22
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand�…
- CVE-2025-59700LOWCVSS 3.9EG 3.92025-12-02
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection).
- CVE-2025-59934CRITICALCVSS 9.4EG 9.42025-09-26
Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying th…
- CVE-2025-59951CRITICALCVSS 9.1EG 9.12025-10-01
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the b…
- CVE-2025-6426HIGHCVSS 8.8EG 8.82025-06-24
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox …
- CVE-2025-6504HIGHCVSS 8.4EG 8.42025-07-29
In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofe…
- CVE-2025-66016CRITICALCVSS 9.3EG 9.32025-11-25
CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an …
- CVE-2025-66225HIGHCVSS 8.8EG 8.82025-11-29
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset proce…
- CVE-2025-66255CRITICALCVSS 9.8EG 9.82025-11-26
Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signatur…
- CVE-2025-66570CRITICALCVSS 9.8EG 10.02025-12-05
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attac…
- CVE-2025-7096HIGHCVSS 8.8EG 8.12025-07-06
A vulnerability classified as critical was found in Comodo Internet Security Premium 12.3.4.8162. This vulnerability affects unknown code of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation leads to impr…
- CVE-2025-71057HIGHCVSS 8.2EG 8.22026-02-26
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.
- CVE-2025-7884HIGHCVSS 7.8EG 3.32025-07-20
A vulnerability classified as problematic was found in Eluktronics Control Center 5.23.51.41. Affected by this vulnerability is an unknown functionality of the component REG File Handler. The manipulation leads to insufficient verification…
- CVE-2025-8038CRITICALCVSS 9.8EG 9.82025-07-22
Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.
- CVE-2025-8978HIGHCVSS 8.1EG 6.62025-08-14
A vulnerability was determined in D-Link DIR-619L 6.02CN02. Affected is the function FirmwareUpgrade of the component boa. The manipulation leads to insufficient verification of data authenticity. It is possible to launch the attack remote…
- CVE-2025-8979MEDIUMCVSS 6.6EG 6.62025-08-14
A vulnerability was identified in Tenda AC15 15.13.07.13. Affected by this vulnerability is the function check_fw_type/split_fireware/check_fw of the component Firmware Update Handler. The manipulation leads to insufficient verification of…
- CVE-2025-8980MEDIUMCVSS 6.6EG 6.62025-08-14
A vulnerability has been found in Tenda G1 16.01.7.8(3660). Affected by this issue is the function check_upload_file of the component Firmware Update Handler. The manipulation leads to insufficient verification of data authenticity. The at…
- CVE-2025-9379HIGHCVSS 7.2EG 7.22025-08-24
A vulnerability was determined in Belkin AX1800 1.1.00.016. Affected by this vulnerability is an unknown functionality of the component Firmware Update Handler. This manipulation causes insufficient verification of data authenticity. The a…
- CVE-2026-0939MEDIUMCVSS 5.3EG 5.32026-01-16
The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify t…
- CVE-2026-11901MEDIUMCVSS 5.3EG 5.32026-07-11
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal…
- CVE-2026-1195MEDIUMCVSS 5.0EG 5.02026-01-20
A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible …
- CVE-2026-13483LOWCVSS 3.1EG 3.12026-06-28
A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verific…
- CVE-2026-13507MEDIUMCVSS 5.0EG 5.02026-06-28
A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manip…
- CVE-2026-13513MEDIUMCVSS 5.0EG 5.02026-06-28
A security flaw has been discovered in MyScale MyScaleDB up to 1.8.0. This vulnerability affects the function SegmentId::getCacheKey in the library src/VectorIndex/Common/SegmentId.h. The manipulation results in insufficient verification o…
- CVE-2026-1642MEDIUMCVSS 5.9EG 5.92026-02-04
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond…
- CVE-2026-21527MEDIUMCVSS 6.5EG 6.52026-02-10
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-22703MEDIUMCVSS 5.5EG 5.52026-01-10
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact'…
- CVE-2026-23656MEDIUMCVSS 5.9EG 5.92026-03-10
Insufficient verification of data authenticity in Windows App Installer allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-2385MEDIUMCVSS 5.3EG 5.32026-02-22
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. T…
- CVE-2026-23966CRITICALCVSS 9.1EG 9.12026-01-22
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the …
- CVE-2026-2428HIGHCVSS 7.5EG 7.52026-02-27
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification b…
- CVE-2026-24772HIGHCVSS 8.9EG 8.92026-01-28
OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that…
- CVE-2026-24775MEDIUMCVSS 6.3EG 6.32026-01-28
OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention O…
- CVE-2026-25602MEDIUMCVSS 4.4EG 4.42026-05-20
Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Comp…
- CVE-2026-26007MEDIUMCVSS 6.5EG 6.52026-02-10
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), loa…
- CVE-2026-27510CRITICALCVSS 9.6EG 9.62026-02-26
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created program…
- CVE-2026-28500CRITICALCVSS 9.1EG 8.62026-03-16
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verifi…
- CVE-2026-2968LOWCVSS 3.7EG 3.72026-02-23
A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper …
- CVE-2026-3012MEDIUMCVSS 6.8EG 8.02026-05-27
A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store…
- CVE-2026-30603MEDIUMCVSS 6.8EG 6.82026-04-02
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows attackers to gain root access, install backdoors, and exfiltrate data via supplying a crafted iu.sh script contained in an SD card.
- CVE-2026-30792HIGHCVSS 8.1EG 8.12026-03-05
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the…
- CVE-2026-30798HIGHCVSS 8.2EG 7.52026-03-05
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing m…
- CVE-2026-3177MEDIUMCVSS 5.3EG 5.32026-04-07
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to…
- CVE-2026-31835MEDIUMCVSS 5.4EG 5.42026-05-05
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags…
- CVE-2026-32029MEDIUMCVSS 5.3EG 5.32026-03-19
OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or prese…
- CVE-2026-32290MEDIUMCVSS 4.7EG 4.72026-03-17
The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash…
- CVE-2026-32294MEDIUMCVSS 4.7EG 4.72026-03-17
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.
- CVE-2026-32323HIGHCVSS 7.3EG 7.32026-05-19
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applica…
Map vulnerabilities like CWE-345 to your infrastructure
EchelonGraph correlates every CVE — across CWE-345 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →