Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-345 (对数据真实性的验证不充分) — Vulnerability Class 226

226 vulnerabilities classified as CWE-345 (对数据真实性的验证不充分). AI Chinese analysis included.

CWE-345 represents a critical integrity weakness where software fails to adequately verify the origin or authenticity of incoming data, leading to the acceptance of invalid or malicious inputs. Attackers typically exploit this vulnerability by injecting spoofed or tampered information, tricking the application into processing untrusted sources as legitimate. This can result in severe consequences, including data corruption, unauthorized access, or system compromise, as the software blindly trusts the manipulated payload. To mitigate this risk, developers must implement robust cryptographic verification mechanisms, such as digital signatures or message authentication codes, to ensure data integrity. Additionally, strict input validation and secure communication protocols like TLS should be employed to authenticate data sources. By rigorously validating the provenance of all external inputs, organizations can prevent attackers from exploiting trust assumptions and maintain the overall security posture of their systems against integrity-based attacks.

MITRE CWE Description
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Common Consequences (1)
Integrity, OtherVaries by Context, Unexpected State
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud — new-api 7.1 High2026-05-08
CVE-2026-42206 Roadiz OpenID Connect nonce generated but never validated — ID token replay attack — core-bundle-dev-app--2026-05-08
CVE-2026-31835 Vaultwarden WebAuthn credential metadata tampered before signature verification — vaultwarden--2026-05-05
CVE-2026-43534 OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events — OpenClaw 9.1 Critical2026-05-05
CVE-2026-7611 TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do_upgrade_cameo_dev data authenticity — TEW-821DAP 3.7 Low2026-05-02
CVE-2026-7606 TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware data authenticity — TEW-821DAP 3.7 Low2026-05-02
CVE-2026-35051 Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth — traefik 9.1AICriticalAI2026-04-30
CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter — Five Star Restaurant Reservations – WordPress Booking Plugin 5.3 Medium2026-04-30
CVE-2026-6967 Missing Delegated Metadata Validation in awslabs/tough — tough 5.9 Medium2026-04-24
CVE-2026-40323 SP1 V6 Recursion Circuit Row-Count Binding Gap — sp1 7.1AIHighAI2026-04-17
CVE-2026-35659 OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery — OpenClaw 4.6 Medium2026-04-10
CVE-2026-39366 WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php — AVideo 6.5 Medium2026-04-07
CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook — Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More 5.3 Medium2026-04-07
CVE-2026-35042 fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation) — fast-jwt 7.5 High2026-04-06
CVE-2026-35039 fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) — fast-jwt 9.1 Critical2026-04-06
CVE-2026-34061 nimiq/core-rs-albatross: Macro block proposal interlink bug — core-rs-albatross 4.9 Medium2026-04-03
CVE-2026-33221 Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload — nhost 9.1 -2026-03-20
CVE-2026-33243 barebox: FIT Signature Verification Bypass Vulnerability — barebox 8.3 High2026-03-20
CVE-2026-33143 OneUptime: WhatsApp Webhook Missing Signature Verification — oneuptime 5.3 -2026-03-20
CVE-2026-32029 OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing — OpenClaw 5.3 Medium2026-03-19
CVE-2026-28500 ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack — onnx 8.6 High2026-03-18
CVE-2026-32294 JetKVM insufficient firmware verification — JetKVM 4.7 Medium2026-03-17
CVE-2026-32290 GL-iNet Comet (GL-RM1) KVM insufficient firmware verification — Comet KVM 4.7 Medium2026-03-17
CVE-2026-32597 PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation) — pyjwt 7.5 High2026-03-12
CVE-2026-23656 Windows App Installer Spoofing Vulnerability — Windows App Client for Windows Desktop 5.9 Medium2026-03-10
CVE-2026-30920 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding — oneuptime 8.6 High2026-03-09
CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook — OpenClaw 7.5 High2026-03-05
CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification — gogs 9.3 Critical2026-03-05
CVE-2026-30798 RustDesk Client Accepts Unauthenticated stop-service Command via Strategy Payload — RustDesk Client 9.8 -2026-03-05
CVE-2026-2428 Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification — Fluent Forms Pro Add On Pack 7.5 High2026-02-27

Vulnerabilities classified as CWE-345 (对数据真实性的验证不充分) represent 226 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.