CWE-346— Origin Validation Error
The product does not properly verify that the source of data or communication is valid.— MITRE CWE catalog
562 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-346page 11 of 12
- CVE-2026-42558HIGHCVSS 7.6EG 7.62026-06-10
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users…
- CVE-2026-42559HIGHCVSS 8.8EG 8.82026-05-14
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allo…
- CVE-2026-42901CRITICALCVSS 10.0EG 10.02026-05-22
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-43700MEDIUMCVSS 6.5EG 6.52026-06-29
A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user i…
- CVE-2026-43870HIGHCVSS 7.3EG 7.32026-05-05
Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulne…
- CVE-2026-43972MEDIUMCVSS 6.3EG 6.32026-06-08
Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming…
- CVE-2026-44184HIGHCVSS 8.0EG 8.02026-05-12
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines i…
- CVE-2026-44649CRITICALCVSS 9.8EG 9.82026-05-29
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authel…
- CVE-2026-44698HIGHCVSS 8.3EG 8.32026-05-29
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in…
- CVE-2026-44755MEDIUMCVSS 4.3EG 4.32026-06-09
SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and …
- CVE-2026-44894HIGHCVSS 7.5EG 7.52026-06-08
Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (ser…
- CVE-2026-44985CRITICALCVSS 9.6EG 9.62026-05-26
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Com…
- CVE-2026-45021MEDIUMCVSS 5.1EG 5.12026-05-28
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any…
- CVE-2026-45173MEDIUMCVSS 6.5EG 6.52026-06-11
Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted we…
- CVE-2026-45206HIGHCVSS 7.8EG 7.82026-05-21
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different process protection communication mechan…
- CVE-2026-45207HIGHCVSS 7.8EG 7.82026-05-21
An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different process protection communication mechan…
- CVE-2026-45674CRITICALCVSS 10.0EG 10.02026-06-08
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS response…
- CVE-2026-46611MEDIUMCVSS 5.3EG 5.32026-06-22
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attac…
- CVE-2026-46685MEDIUMCVSS 6.0EG 6.02026-05-28
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Ori…
- CVE-2026-46728HIGHCVSS 8.2EG 8.22026-05-16
Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.
- CVE-2026-47265HIGHCVSS 7.5EG 7.52026-06-02
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookie…
- CVE-2026-47691CRITICALCVSS 10.0EG 10.02026-06-08
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cach…
- CVE-2026-47825HIGHCVSS 8.6EG 8.62026-06-15
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.…
- CVE-2026-50168HIGHCVSS 8.2EG 8.22026-06-15
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allow…
- CVE-2026-5283MEDIUMCVSS 6.5EG 6.52026-04-01
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-5321MEDIUMCVSS 4.3EG 4.32026-04-02
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. Th…
- CVE-2026-54007MEDIUMCVSS 6.5EG 6.52026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt…
- CVE-2026-54030CRITICALCVSS 9.3EG 9.32026-06-25
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the co…
- CVE-2026-54069CRITICALCVSS 9.2EG 9.22026-06-24
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension …
- CVE-2026-54665MEDIUMCVSS 5.3EG 5.32026-06-22
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configu…
- CVE-2026-55438MEDIUMCVSS 6.8EG 6.82026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. Whe…
- CVE-2026-55487HIGHCVSS 8.8EG 8.82026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a…
- CVE-2026-55660HIGHCVSS 7.6EG 7.62026-06-19
Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library register…
- CVE-2026-55669MEDIUMCVSS 4.2EG 4.22026-06-18
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) claim, allowing a validly signed token f…
- CVE-2026-55767MEDIUMCVSS 5.8EG 5.82026-06-19
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normal…
- CVE-2026-56277MEDIUMCVSS 6.5EG 6.52026-07-01
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy…
- CVE-2026-58169HIGHCVSS 7.5EG 7.52026-06-30
Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined…
- CVE-2026-58266MEDIUMCVSS 6.5EG 6.52026-07-07
Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this AP…
- CVE-2026-5899MEDIUMCVSS 6.1EG 6.12026-04-08
Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML pa…
- CVE-2026-59096HIGHCVSS 7.5EG 7.52026-07-02
Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts…
- CVE-2026-59152MEDIUMCVSS 5.0EG 5.02026-07-06
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary…
- CVE-2026-59153LOWCVSS 2.1EG 2.12026-07-07
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A ma…
- CVE-2026-5918MEDIUMCVSS 4.3EG 4.32026-04-08
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-59208MEDIUMCVSS 6.8EG 6.82026-07-09
n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identities to local accounts using only the JW…
- CVE-2026-59723HIGHCVSS 8.8EG 8.82026-07-08
Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validati…
- CVE-2026-59883MEDIUMCVSS 4.7EG 4.72026-07-08
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix mat…
- CVE-2026-6143MEDIUMCVSS 6.3EG 6.32026-04-13
A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue is some unknown functionality of the file src-tauri/src/proxy/server.rs of the component ProxyServer. The manipulation results in permissive c…
- CVE-2026-6339MEDIUMCVSS 4.3EG 4.32026-05-18
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without reci…
- CVE-2026-6508CRITICALCVSS 9.8EG 9.82026-05-07
Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2.
- CVE-2026-6657HIGHCVSS 8.8EG 6.12026-06-03
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origi…
Map vulnerabilities like CWE-346 to your infrastructure
EchelonGraph correlates every CVE — across CWE-346 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →