CWE-602— Client-Side Enforcement of Server-Side Security
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.— MITRE CWE catalog
139 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-602page 3 of 3
- CVE-2026-11184MEDIUMCVSS 6.3EG 6.32026-06-04
Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-11236HIGHCVSS 8.3EG 8.32026-06-04
Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security…
- CVE-2026-11267MEDIUMCVSS 4.3EG 4.32026-06-04
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium sec…
- CVE-2026-11287MEDIUMCVSS 6.5EG 6.52026-06-04
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium securi…
- CVE-2026-13795MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-13871MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in GuestView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13894MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13896MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13901CRITICALCVSS 9.6EG 9.62026-06-30
Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severi…
- CVE-2026-13903HIGHCVSS 8.8EG 8.82026-06-30
Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13919MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-13929MEDIUMCVSS 5.5EG 5.52026-06-30
Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Medium)
- CVE-2026-13930MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in Actor in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-14007MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-14033MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14036HIGHCVSS 8.8EG 8.82026-06-30
Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14041HIGHCVSS 8.8EG 8.82026-06-30
Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14047MEDIUMCVSS 4.3EG 4.32026-06-30
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium sec…
- CVE-2026-14054MEDIUMCVSS 4.3EG 4.32026-06-30
Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14075MEDIUMCVSS 4.3EG 4.32026-06-30
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass no-referrer policy via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14081MEDIUMCVSS 6.5EG 6.52026-06-30
Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chr…
- CVE-2026-14086HIGHCVSS 8.8EG 8.82026-06-30
Insufficient policy enforcement in HID in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-14109CRITICALCVSS 9.6EG 9.62026-07-01
Insufficient policy enforcement in Mojo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity…
- CVE-2026-15130MEDIUMCVSS 4.3EG 4.32026-07-08
Insufficient policy enforcement in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-23478CRITICALCVSS 9.8EG 9.82026-01-13
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email ad…
- CVE-2026-30521MEDIUMCVSS 6.5EG 6.52026-03-31
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend inter…
- CVE-2026-30522MEDIUMCVSS 6.5EG 6.52026-04-01
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. Whil…
- CVE-2026-30783CRITICALCVSS 9.8EG 9.82026-03-05
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated wi…
- CVE-2026-39415MEDIUMCVSS 4.3EG 4.32026-04-08
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission.…
- CVE-2026-42160CRITICALCVSS 10.0EG 10.02026-05-08
Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regardin…
- CVE-2026-42266HIGHCVSS 8.8EG 8.82026-05-13
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_ex…
- CVE-2026-42329MEDIUMCVSS 4.7EG 4.72026-06-04
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 contain a weakness where an attacker can misuse it to redirect the user to a malicious website cont…
- CVE-2026-44567HIGHCVSS 7.3EG 7.32026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is confi…
- CVE-2026-54104HIGHCVSS 8.8EG 8.82026-06-18
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter witho…
- CVE-2026-56256HIGHCVSS 7.1EG 7.12026-06-24
Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backe…
- CVE-2026-56693MEDIUMCVSS 5.5EG 5.52026-06-23
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the create_agent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke …
- CVE-2026-57912HIGHCVSS 7.5EG 7.52026-06-26
Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers.
- CVE-2026-57913HIGHCVSS 7.5EG 7.52026-06-26
Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts.
- CVE-2026-5901MEDIUMCVSS 6.5EG 6.52026-04-08
Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chro…
Map vulnerabilities like CWE-602 to your infrastructure
EchelonGraph correlates every CVE — across CWE-602 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →