CWE-346— Origin Validation Error
The product does not properly verify that the source of data or communication is valid.— MITRE CWE catalog
562 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-346page 12 of 12
- CVE-2026-6662HIGHCVSS 7.3EG 7.32026-04-20
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with un…
- CVE-2026-6734HIGHCVSS 7.5EG 7.52026-06-17
Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first…
- CVE-2026-6903HIGHCVSS 7.5EG 7.52026-04-23
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that…
- CVE-2026-7439MEDIUMCVSS 4.4EG 4.42026-04-29
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations…
- CVE-2026-7581MEDIUMCVSS 4.3EG 4.32026-05-01
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrus…
- CVE-2026-7643MEDIUMCVSS 4.3EG 4.32026-05-02
A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. …
- CVE-2026-7979MEDIUMCVSS 4.3EG 4.32026-05-06
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-7986MEDIUMCVSS 4.3EG 4.32026-05-06
Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-8950CRITICALCVSS 9.3EG 9.32026-05-19
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
- CVE-2026-8971MEDIUMCVSS 6.5EG 6.52026-05-19
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- CVE-2026-9595MEDIUMCVSS 4.3EG 4.32026-06-15
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin he…
- CVE-2026-9989MEDIUMCVSS 6.3EG 6.32026-05-28
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High)
Map vulnerabilities like CWE-346 to your infrastructure
EchelonGraph correlates every CVE — across CWE-346 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →