Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 172

172 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2026-34359 HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core — org.hl7.fhir.core 7.4 High2026-03-31
CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction — parse-server 8.2AIHighAI2026-03-31
CVE-2026-21790 HCL Traveler is susceptible to a weak default HTTP header validation vulnerability — Traveler 6.3 Medium2026-03-24
CVE-2026-32317 Cryptomator for Android: Tampered vault configuration allows MITM attack on Hub API — android 7.6 High2026-03-20
CVE-2026-32318 Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API — ios 7.6 High2026-03-20
CVE-2026-32303 Cryptomator: Tampered vault configuration allows MITM attack on Hub API — cryptomator 7.6 High2026-03-20
CVE-2026-32634 Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers — glances 8.1 High2026-03-18
CVE-2026-32632 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding — glances 5.9 Medium2026-03-18
CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation — Mattermost 4.3 Medium2026-03-16
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode — openclaw 8.1 High2026-03-12
CVE-2026-30964 Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation — webauthn-framework 5.4 Medium2026-03-10
CVE-2026-25604 Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass — Apache Airflow Providers Amazon 9.8AICriticalAI2026-03-09
CVE-2026-28403 Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability — textream 7.6 High2026-03-02
CVE-2025-1787 Genetec Update Service 安全漏洞 — Genetec Update Service 4.4 -2026-02-24
CVE-2026-23552 Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy — Apache Camel 5.3AIMediumAI2026-02-23
CVE-2026-27579 CollabPlatform : CORS Misconfiguration Allows Arbitrary Origin With Credentials Leading to Authenticated Account Data Exposure — realtime-collaboration-platform 7.4 High2026-02-21
CVE-2026-27192 Feathers has an origin validation bypass via prefix matching — feathers 9.1AICriticalAI2026-02-21
CVE-2026-27118 Cache poisoning in @sveltejs/adapter-vercel — kit 5.4AIMediumAI2026-02-20
CVE-2026-2345 Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers — Secure Exam Proctor Extension 3.6 Low2026-02-11
CVE-2025-7659 Origin Validation Error in GitLab — GitLab 8.0 High2026-02-11
CVE-2026-1997 Certain HP OfficeJet Pro Printers - Information Disclosure — HP OfficeJet Pro 8730 All-in-One Printer 5.3AIMediumAI2026-02-10
CVE-2022-50975 Multiple Innomic VibroLine VLX and avibia AVLX allow unauthenticated access to device configuration — VibroLine VLX1 HD 5.0 8.8 High2026-02-02
CVE-2026-22694 AliasVault is Missing Origin Validation in Android Passkey Credential Provider — aliasvault 6.1 Medium2026-01-14
CVE-2022-50925 Prowise Reflect v1.0.9 - Remote Keystroke Injection — Prowise Reflect 9.8 Critical2026-01-13
CVE-2026-22794 Account Takeover Vulnerability in Appsmith — appsmith 9.7 Critical2026-01-12
CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow — mlflow/mlflow 8.8AIHighAI2026-01-12
CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing — react-router 6.5 Medium2026-01-10
CVE-2025-69260 Trend Micro Apex Central 安全漏洞 — Trend Micro Apex Central 7.5 High2026-01-08
CVE-2025-69259 Trend Micro Apex Central 安全漏洞 — Trend Micro Apex Central 7.5 High2026-01-08
CVE-2026-20893 Fujitsu Security Solution AuthConductor Client Basic 访问控制错误漏洞 — Fujitsu Security Solution AuthConductor Client Basic V2 7.8 -2026-01-07

Vulnerabilities classified as CWE-346 (源验证错误) represent 172 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.