Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 159

159 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2025-42706 CrowdStrike Falcon Sensor for Windows Logic Error — Falcon sensor for Windows 6.5 Medium2025-10-08
CVE-2025-59159 SillyTavern Web Interface Vulnerable to DNS Rebinding — SillyTavern 9.7 Critical2025-10-06
CVE-2025-59845 Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass — embeddable-explorer 8.2 High2025-09-26
CVE-2025-20364 Cisco Wireless LAN Controller 安全漏洞 — Cisco Aironet Access Point Software (IOS XE Controller) 4.3 Medium2025-09-24
CVE-2025-10193 Neo4j Cypher MCP server is vulnerable to DNS rebinding attacks — neo4j-cypher MCP server 9.3AICriticalAI2025-09-11
CVE-2024-13068 Host Header Injection in Akinsoft's LimonDesk — LimonDesk 7.3 High2025-09-03
CVE-2024-12973 Host Header Injection in Akinsoft's OctoCloud — OctoCloud 4.7 Medium2025-09-02
CVE-2025-52621 HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning — BigFix SaaS Remediate 5.3 Medium2025-08-15
CVE-2025-53399 rtpengine 访问控制错误漏洞 — rtpengine 4.8 -2025-08-01
CVE-2025-7365 Keycloak: phishing attack via email verification step in first login flow 7.1 High2025-07-10
CVE-2025-53600 Naver Whale Browser 安全漏洞 — NAVER Whale browser 8.2 -2025-07-04
CVE-2025-5824 Autel MaxiCharger AC Wallbox Commercial Origin Validation Error Authentication Bypass Vulnerability — Autel MaxiCharger AC Wallbox Commercial 8.8AIHighAI2025-06-25
CVE-2025-42998 Security misconfiguration vulnerability in SAP Business One Integration Framework — SAP Business One Integration Framework 5.3 Medium2025-06-10
CVE-2024-31127 MacOS Zscaler Client Connector Local Privilege Escalation — Client Connector 7.3 High2025-06-04
CVE-2025-30360 webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser — webpack-dev-server 6.5 Medium2025-06-03
CVE-2025-5320 gradio-app gradio CORS is_valid_origin privilege escalation — gradio 3.7 Low2025-05-29
CVE-2025-46737 Origin Validation Error — SEL-5037 Grid Configurator 7.4 High2025-05-12
CVE-2025-3462 ASUS DriverHub 安全漏洞 — DriverHub 10.0AICriticalAI2025-05-09
CVE-2025-43929 kitty 安全漏洞 — kitty 4.1 Medium2025-04-20
CVE-2025-3651 Command Injection in iManage Work Desktop for Mac's Agent Service — Work Desktop for Mac 8.4AIHighAI2025-04-17
CVE-2024-45354 xiaomi shop application Webview has code execution vulnerability — Xiaomi shop application 4.3 Medium2025-03-27
CVE-2024-45353 quick App has intent redriction vulnerability — quick app framework 4.3 Medium2025-03-27
CVE-2024-45352 Xiaomi smarthome application Webview has code execution vulnerability — Xiaomi smarthome application 8.8 High2025-03-27
CVE-2024-10956 Cross-Site WebSocket Hijacking in binary-husky/gpt_academic — binary-husky/gpt_academic 6.1 -2025-03-20
CVE-2024-8487 CORS Vulnerability in modelscope/agentscope — modelscope/agentscope 9.1 -2025-03-20
CVE-2024-8183 CORS Misconfiguration in prefecthq/prefect — prefecthq/prefect 9.1 -2025-03-20
CVE-2024-11602 CORS Vulnerability in feast-dev/feast — feast-dev/feast 7.5 -2025-03-20
CVE-2024-6844 Inconsistent CORS Matching Due to Handling of '+' in URL Path in corydolphin/flask-cors — corydolphin/flask-cors 6.5 -2025-03-20
CVE-2024-8024 CORS Misconfiguration in netease-youdao/qanything — netease-youdao/qanything 7.5 -2025-03-20
CVE-2024-7819 CORS Misconfiguration in danswer-ai/danswer — danswer-ai/danswer 6.5 -2025-03-20

Vulnerabilities classified as CWE-346 (源验证错误) represent 159 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.