Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 159

159 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2025-1787 Genetec Update Service 安全漏洞 — Genetec Update Service 4.4 -2026-02-24
CVE-2026-23552 Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy — Apache Camel 5.3AIMediumAI2026-02-23
CVE-2026-27579 CollabPlatform : CORS Misconfiguration Allows Arbitrary Origin With Credentials Leading to Authenticated Account Data Exposure — realtime-collaboration-platform 7.4 High2026-02-21
CVE-2026-27192 Feathers has an origin validation bypass via prefix matching — feathers 9.1AICriticalAI2026-02-21
CVE-2026-27118 Cache poisoning in @sveltejs/adapter-vercel — kit 5.4AIMediumAI2026-02-20
CVE-2026-2345 Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers — Secure Exam Proctor Extension 3.6 Low2026-02-11
CVE-2025-7659 Origin Validation Error in GitLab — GitLab 8.0 High2026-02-11
CVE-2026-1997 Certain HP OfficeJet Pro Printers - Information Disclosure — HP OfficeJet Pro 8730 All-in-One Printer 5.3AIMediumAI2026-02-10
CVE-2022-50975 Multiple Innomic VibroLine VLX and avibia AVLX allow unauthenticated access to device configuration — VibroLine VLX1 HD 5.0 8.8 High2026-02-02
CVE-2026-22694 AliasVault is Missing Origin Validation in Android Passkey Credential Provider — aliasvault 6.1 Medium2026-01-14
CVE-2022-50925 Prowise Reflect v1.0.9 - Remote Keystroke Injection — Prowise Reflect 9.8 Critical2026-01-13
CVE-2026-22794 Account Takeover Vulnerability in Appsmith — appsmith 9.7 Critical2026-01-12
CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow — mlflow/mlflow 8.8AIHighAI2026-01-12
CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing — react-router 6.5 Medium2026-01-10
CVE-2025-69260 Trend Micro Apex Central 安全漏洞 — Trend Micro Apex Central 7.5 High2026-01-08
CVE-2025-69259 Trend Micro Apex Central 安全漏洞 — Trend Micro Apex Central 7.5 High2026-01-08
CVE-2026-20893 Fujitsu Security Solution AuthConductor Client Basic 访问控制错误漏洞 — Fujitsu Security Solution AuthConductor Client Basic V2 7.8 -2026-01-07
CVE-2025-69235 Naver Whale Browser 安全漏洞 — NAVER Whale browser 8.2 -2025-12-30
CVE-2025-61740 Johnson Controls IQ Panels2, 2+, IQHub, IQPanel 4, PowerG Origin Validation Error — IQ Panels2, 2+, IQHub, IQPanel 4, PowerG 9.1AICriticalAI2025-12-22
CVE-2025-34291 Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE — Langflow 8.8 -2025-12-05
CVE-2025-8074 Synology BeeDrive 访问控制错误漏洞 — BeeDrive for desktop 5.6 Medium2025-12-04
CVE-2024-32642 Host header poisoning allows account takeover via password reset email — MasaCMS 8.8 High2025-12-03
CVE-2025-37734 Kibana Origin Validation Error — Kibana 4.3 Medium2025-11-12
CVE-2024-14006 Nagios XI < 2024R1.2.2 Host Header Injection — XI 5.4AIMediumAI2025-10-30
CVE-2025-12245 chatwoot Widget IFrameHelper.js initPostMessageCommunication origin validation — chatwoot 5.3 Medium2025-10-27
CVE-2025-62250 Liferay Portal和Liferay DXP 访问控制错误漏洞 — Portal 9.8AICriticalAI2025-10-21
CVE-2025-62584 Naver Whale Browser 安全漏洞 — NAVER Whale browser 8.2AIHighAI2025-10-16
CVE-2025-9265 API Authentication Bypass via Header Spoofing vulnerability in Kiloview NDI N30 Products — NDI 7.5AIHighAI2025-10-13
CVE-2025-2140 IBM Engineering Requirements Management Doors Next spoofing — Engineering Requirements Management Doors Next 5.7 Medium2025-10-12
CVE-2025-59957 Junos OS: EX4600 Series and QFX5000 Series: An attacker with physical access can open a persistent backdoor — Junos OS 6.8 Medium2025-10-09

Vulnerabilities classified as CWE-346 (源验证错误) represent 159 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.