CWE-830— Inclusion of Web Functionality from an Untrusted Source
The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.— MITRE CWE catalog
12 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-830page 1 of 1
- CVE-2021-28162MEDIUMCVSS 6.1EG 6.12021-03-12
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
- CVE-2023-2588HIGHCVSS 8.8EG 8.82023-05-22
Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a …
- CVE-2024-29944HIGHCVSS 8.4EG 8.42024-03-22
An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Fi…
- CVE-2024-35180MEDIUMCVSS 6.1EG 6.12024-05-21
OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has bee…
- CVE-2024-42381HIGHCVSS 8.3EG 8.32024-07-31
os/linux/elf.rb in Homebrew brew before 4.2.20 uses ldd to load ELF files obtained from untrusted sources, which allows attackers to achieve code execution via an ELF file with a custom .interp section. NOTE: this code execution would occu…
- CVE-2025-33026MEDIUMCVSS 6.1EG 6.12025-04-15
In PeaZip through 10.4.0, there is a Mark-of-the-Web Bypass Vulnerability. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of PeaZip. User interaction is required to exploit …
- CVE-2025-33027MEDIUMCVSS 6.1EG 6.12025-04-15
In Bandisoft Bandizip through 7.37, there is a Mark-of-the-Web Bypass Vulnerability. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Bandizip. User interaction is required…
- CVE-2025-33028MEDIUMCVSS 6.1EG 6.12025-04-15
In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Win…
- CVE-2025-43703MEDIUMCVSS 6.1EG 6.12025-04-16
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the…
- CVE-2025-46652MEDIUMCVSS 6.1EG 6.12025-04-26
In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. NOTE: this is disputed bec…
- CVE-2025-64496HIGHCVSS 8.0EG 7.32025-11-08
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model ser…
- CVE-2025-65109HIGHCVSS 8.5EG 8.52025-11-21
Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which ma…
Map vulnerabilities like CWE-830 to your infrastructure
EchelonGraph correlates every CVE — across CWE-830 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →