Login Sign Up

CWE-346: CWE-346

100
Total CVEs
20
Critical
49
High
7.5
Avg CVSS

Yearly Trend

2026
13
2025
45
2024
22
2023
8
2022
5

Top Affected Vendors

1 Trendmicro 7
2 Oracle 5
3 Mozilla 4
4 Apple 2
5 Discourse 2
6 Ibm 2
7 Apache 2
8 Langgenius 2
9 Siemens 1
10 Meshcentral 1

All CWE-346 CVEs (100)

CVE-2026-2790
9.8

This CVE describes a same-origin policy bypass vulnerability in Firefox's JAR (Java Archive) networking component. It allows malicious websites to acc...

Feb 24, 2026
CVE-2022-50925
9.8

CVE-2022-50925 is a remote keystroke injection vulnerability in Prowise Reflect version 1.0.9 that allows attackers to send keyboard events through an...

Jan 13, 2026
CVE-2025-30466
9.8

This vulnerability allows malicious websites to bypass the Same Origin Policy in Apple's Safari browser and related WebKit-based browsers. This could ...

May 29, 2025
CVE-2024-8487
9.8

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration in modelscope/agentscope v0.0.4 that allows any external domain to make req...

Mar 20, 2025
CVE-2024-9392
9.8

This vulnerability allows a compromised content process in Firefox or Thunderbird to load cross-origin web pages arbitrarily, bypassing Same-Origin Po...

Oct 1, 2024
CVE-2021-47157
9.8

CVE-2021-47157 is a JSON hijacking vulnerability in the Kossy Perl module that allows attackers to bypass CSRF protections through X-Requested-With he...

Mar 18, 2024
CVE-2023-29711
9.8

This vulnerability allows unauthenticated attackers to execute arbitrary code on Interlink PSG-5124 switches via crafted GET requests due to improper ...

Jun 22, 2023
CVE-2023-25366
9.8

This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface password through the insecure SCPI interface. It affect...

Jun 16, 2023
CVE-2023-33443
9.8

This vulnerability allows attackers to bypass access controls in BESDER IP camera administrative functions, enabling execution of arbitrary administra...

Jun 8, 2023
CVE-2020-26527
9.8

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Damstra Smart Asset 2020.7 that allows arbitrary origins t...

Oct 2, 2020
CVE-2025-59159
9.6

SillyTavern versions before 1.13.4 are vulnerable to DNS rebinding attacks, allowing attackers to bypass same-origin policy and perform malicious acti...

Oct 6, 2025
CVE-2023-3654
9.4

This vulnerability allows attackers to bypass origin restrictions by manipulating the Host header in HTTP requests to cashIT! devices. It affects cash...

Oct 3, 2023
CVE-2025-25306
9.3

This vulnerability in Misskey allows attackers to forge ActivityPub objects by manipulating the relationship between 'id' and 'url' fields, bypassing ...

Mar 10, 2025
CVE-2026-23552
9.1

The CVE-2026-23552 vulnerability allows attackers to bypass tenant isolation in Apache Camel Keycloak component by using JWT tokens from unauthorized ...

Feb 23, 2026
CVE-2025-63386
9.1

A CORS misconfiguration in Dify v1.9.1 allows arbitrary external domains to make authenticated requests to the /console/api/setup endpoint. This enabl...

Dec 18, 2025
CVE-2025-63388
9.1

This CVE describes a CORS misconfiguration in Dify v1.9.1 that allows any external domain to make authenticated cross-origin requests to the /console/...

Dec 18, 2025
CVE-2021-44935
9.1

CVE-2021-44935 is an arbitrary user impersonation vulnerability in glFusion CMS that allows remote attackers to take over any user account without aut...

Dec 14, 2021
CVE-2021-39063
9.1

IBM Spectrum Protect Plus versions 10.1.0.0 through 10.1.8.x have a CORS misconfiguration that allows attackers to perform privileged actions and acce...

Dec 13, 2021
CVE-2021-39185
9.1

This CVE describes a Cross-Origin Resource Sharing (CORS) vulnerability in http4s, a Scala HTTP library. It allows attackers to perform origin reflect...

Sep 1, 2021
CVE-2021-26291
9.1

Apache Maven follows repository references defined in dependency POM files, allowing malicious actors to redirect builds to compromised repositories. ...

Apr 23, 2021
CVE-2022-50975
8.8

This vulnerability allows an unauthenticated remote attacker to hijack existing user sessions and gain full administrative access to affected devices....

Feb 2, 2026
CVE-2025-34291
EPSS 14% 8.8

This vulnerability in Langflow allows attackers to hijack user sessions through a CORS misconfiguration, leading to account takeover and remote code e...

Dec 5, 2025
CVE-2024-32642
8.8

Masa CMS versions before 7.2.8, 7.3.13, and 7.4.6 are vulnerable to host header poisoning, which allows attackers to hijack password reset emails and ...

Dec 3, 2025
CVE-2024-45352
8.8

This critical vulnerability in Xiaomi smarthome applications allows remote attackers to execute arbitrary code by exploiting improper input validation...

Mar 27, 2025
CVE-2023-27745
8.8

This vulnerability in South River Technologies TitanFTP allows attackers with low-level user privileges to perform administrative actions by sending c...

Jun 2, 2023
CVE-2022-30228
8.8

SICAM GridEdge (Classic) versions before V2.6.6 lack proper CORS restrictions, allowing attackers to trick authenticated users into executing maliciou...

Jun 14, 2022
CVE-2020-24772
8.8

This vulnerability allows attackers to force the Clash for Windows client to open malicious SMB shares via crafted URLs, triggering NTLM authenticatio...

Mar 21, 2022
CVE-2023-27944
8.6

This CVE describes a macOS sandbox escape vulnerability that allows malicious applications to break out of their security confinement. Affected users ...

May 8, 2023
CVE-2020-16951
8.6

This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading specially crafted appli...

Oct 16, 2020
CVE-2024-26135
8.3

This CVE describes a cross-site websocket hijacking vulnerability in MeshCentral's control.ashx endpoint, which handles administrative actions. Attack...

Feb 20, 2024
CVE-2023-30856
8.3

CVE-2023-30856 is a cross-site WebSocket hijacking vulnerability in eDEX-UI terminal emulator versions 2.2.8 and earlier. When users run eDEX-UI while...

Apr 28, 2023
CVE-2025-59845
8.2

This CSRF vulnerability in Apollo Studio's embeddable components allows malicious websites to send forged messages that execute arbitrary GraphQL quer...

Sep 26, 2025
CVE-2025-23023
8.2

This vulnerability allows attackers to poison the anonymous cache in Discourse by crafting requests with specific headers, potentially causing visitor...

Feb 4, 2025
CVE-2024-55948
8.2

This vulnerability allows attackers to poison the anonymous cache in Discourse through crafted XHR requests, potentially serving incomplete or manipul...

Feb 4, 2025
CVE-2026-27192
8.1

FeathersJS versions 5.0.39 and below have an origin validation vulnerability where the getAllowedOrigin() function uses startsWith() for comparison, a...

Feb 21, 2026
CVE-2025-14279
8.1

MLFlow versions up to 3.4.0 are vulnerable to DNS rebinding attacks due to missing Origin header validation in the REST server. This allows malicious ...

Jan 12, 2026
CVE-2025-51605
8.1

Shopizer 3.2.7 has a CORS misconfiguration that reflects client-supplied Origin headers without validation while allowing credentials. This allows mal...

Aug 22, 2025
CVE-2024-5549
8.1

A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information like logs, browser sessions, and settings c...

Jul 9, 2024
CVE-2021-27197
8.1

CVE-2021-27197 is an arbitrary file write vulnerability in Pelco Digital Sentry Server's DSUtility.dll component. It allows remote attackers to overwr...

Feb 12, 2021
CVE-2025-7659
8.0

This vulnerability in GitLab allows unauthenticated attackers to bypass validation in the Web IDE feature, potentially stealing authentication tokens ...

Feb 11, 2026
CVE-2025-9636
7.9

pgAdmin versions up to 9.7 have a Cross-Origin Opener Policy vulnerability that allows attackers to manipulate OAuth authentication flows. This could ...

Sep 4, 2025
CVE-2026-20893
7.8

An origin validation error in Fujitsu Security Solution AuthConductor Client Basic V2 allows attackers with local Windows login access to execute arbi...

Jan 7, 2026
CVE-2024-55917
7.8

A local privilege escalation vulnerability in Trend Micro Apex One allows attackers with initial low-privileged access to gain elevated system privile...

Dec 31, 2024
CVE-2024-36302
7.8

This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows local attackers to escalate privileges on aff...

Jun 10, 2024
CVE-2023-47193
7.8

This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows a local attacker with low-privileged code exe...

Jan 23, 2024
CVE-2023-47195
7.8

This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows a local attacker to escalate privileges on af...

Jan 23, 2024
CVE-2023-47197
7.8

This CVE describes a local privilege escalation vulnerability in Trend Micro Apex One security agent where an attacker with low-privileged access can ...

Jan 23, 2024
CVE-2023-47199
7.8

This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows local attackers to escalate privileges on aff...

Jan 23, 2024
CVE-2023-28795
7.8

This CVE describes an origin validation error in Zscaler Client Connector for Linux that allows attackers to inject code into existing processes. The ...

Oct 23, 2023
CVE-2022-23763
7.8

This vulnerability in NeoRS's ActiveX module allows attackers to bypass origin validation and trick users into downloading and executing arbitrary mal...

Jun 28, 2022

About CWE-346 (CWE-346)

Our database tracks 100 CVEs classified as CWE-346, with 20 rated critical and 49 rated high severity. The average CVSS score for CWE-346 vulnerabilities is 7.5.

External reference: View CWE-346 on MITRE CWE →

Monitor CWE-346 Vulnerabilities

Get alerted when new CWE-346 CVEs affect your infrastructure.

Start Monitoring Free