Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-348 (使用不可信的源) — Vulnerability Class 42

42 vulnerabilities classified as CWE-348 (使用不可信的源). AI Chinese analysis included.

CWE-348 represents a trust relationship management weakness where software incorrectly relies on a data source with insufficient verification or security controls. This flaw typically arises when applications accept input from external entities, such as user-supplied fields or unvalidated network packets, instead of prioritizing internal, authenticated sources. Attackers exploit this by injecting malicious payloads or manipulating data through the less trusted channel, bypassing intended security checks and potentially leading to injection attacks, privilege escalation, or data corruption. To mitigate this risk, developers must rigorously validate all external inputs against strict allowlists and implement robust authentication mechanisms. By consistently prioritizing verified, internal data sources and applying defense-in-depth strategies, engineers can ensure that critical operations rely only on trustworthy information, thereby neutralizing the threat of compromised data integrity.

MITRE CWE Description
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.
Examples (1)
This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy.
$requestingIP = '0.0.0.0'; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { $requestingIP = $_SERVER['HTTP_X_FORWARDED_FOR']; else{ $requestingIP = $_SERVER['REMOTE_ADDR']; } if(in_array($requestingIP,$ipAllowlist)){ generatePage(); return; } else{ echo "You are not authorized to view this page"; return; }
Bad · PHP
$requestingIP = '0.0.0.0'; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { echo "This application cannot be accessed through a proxy."; return; else{ $requestingIP = $_SERVER['REMOTE_ADDR']; } ...
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-40226 systemd 安全漏洞 — systemd 6.4 Medium2026-04-10
CVE-2026-35391 Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery — webmail 9.1AICriticalAI2026-04-06
CVE-2026-35507 shynet 安全漏洞 — Shynet 6.4 Medium2026-04-03
CVE-2026-26927 URL (HTTP Origin) call location spoofing in Szafir SDK Web — Szafir SDK Web 8.1AIHighAI2026-04-02
CVE-2026-33690 AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr() — AVideo 5.3 Medium2026-03-23
CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function — fastify 6.1 Medium2026-03-23
CVE-2025-69240 Header Poisoning in Raytha CMS — Raytha 8.8 -2026-03-16
CVE-2026-22201 wpDiscuz before 7.6.47 - IP Address Spoofing in getIP() — wpDiscuz 5.3 Medium2026-03-13
CVE-2025-55292 In Meshtastic, an attacker can spoof licensed amateur flag for a node — firmware 8.2 High2026-01-27
CVE-2026-24910 Bun 安全漏洞 — Bun 5.9 Medium2026-01-27
CVE-2025-13694 AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header — AA Block country 5.3 Medium2026-01-07
CVE-2025-15154 PbootCMS Header handle.php get_user_ip less trusted source — PbootCMS 5.3 Medium2025-12-28
CVE-2025-32900 KDE Connect 安全漏洞 — KDE Connect information-exchange protocol 4.3 Medium2025-12-05
CVE-2025-59951 Termix' official Docker image contains an authentication bypass vulnerability — Termix 9.1AICriticalAI2025-10-01
CVE-2025-58422 RICOH Streamline NX 安全漏洞 — RICOH Streamline NX 5.9AIMediumAI2025-09-08
CVE-2025-53522 Movable Type 安全漏洞 — Movable Type (Software Edition) 7.5 -2025-08-20
CVE-2025-48825 RICOH Streamline NX V3 PC Client 安全漏洞 — RICOH Streamline NX V3 PC Client 7.5AIHighAI2025-06-13
CVE-2025-47149 Digital Arts i-FILTER 安全漏洞 — i-FILTER 7.7AIHighAI2025-05-23
CVE-2025-1245 Bypass Connection Restriction Vulnerability in Hitachi Ops Center Analyzer — Hitachi Infrastructure Analytics Advisor 6.5 Medium2025-05-16
CVE-2025-47424 Retool 安全漏洞 — Retool 7.1 High2025-05-09
CVE-2025-43918 SSL.com 安全漏洞 — SSL.com 6.4 Medium2025-04-19
CVE-2025-24856 TYPO3 安全漏洞 — oidc 4.2 Medium2025-03-16
CVE-2025-27913 Passbolt 安全漏洞 — API 3.7 -2025-03-10
CVE-2024-54840 CyberArk Privileged Access Manager Self-Hosted 安全漏洞 — Privileged Access Manager 4.2 Medium2025-02-03
CVE-2024-10977 PostgreSQL libpq retains an error message from man-in-the-middle — PostgreSQL 3.1 Low2024-11-14
CVE-2022-4534 Limit Login Attempts (Spam Protection) <= 5.3 - IP Address Spoofing to Protection Mechanism Bypass — Limit Login Attempts (Spam Protection) 5.3 Medium2024-10-08
CVE-2022-4533 Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass — Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix 5.3 Medium2024-09-19
CVE-2022-4529 Security, Antivirus, Firewall – S.A.F <= 2.3.5 - IP Address Spoofing to Protection Mechanism Bypass — Security, Antivirus, Firewall – S.A.F 5.3 Medium2024-09-05
CVE-2022-4539 Web Application Firewall <= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass — Web Application Firewall – website security 5.3 Medium2024-08-31
CVE-2022-4536 IP Vault – WP Firewall <= 1.1 - IP Address Spoofing to Protection Mechanism Bypass — Two-factor authentication (formerly IP Vault) 5.3 Medium2024-08-31

Vulnerabilities classified as CWE-348 (使用不可信的源) represent 42 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.