CWE-346: CWE-346

Textream macOS teleprompter app versions before 1.5.1 have a WebSocket server that doesn't validate the Origin header, allowing malicious web pages to...

This vulnerability allows attackers to bypass the Same-Origin Policy in Whale browser's sidebar environment, potentially enabling cross-origin data th...

This vulnerability allows attackers within Bluetooth range to bypass authentication on Autel MaxiCharger AC Wallbox Commercial electric vehicle chargi...

A CORS misconfiguration in netease-youdao/qanything version 1.4.1 allows attackers to bypass Same-Origin Policy protections, potentially exposing sens...

This vulnerability in Oracle JD Edwards EnterpriseOne Tools allows unauthenticated attackers to remotely access sensitive data via HTTP. It affects al...

This vulnerability in lilishop e-commerce platform allows attackers to bypass coupon quantity limits during high-traffic periods by intercepting and r...

This vulnerability allows attackers to change usernames arbitrarily in Mirotalk video conferencing systems by sending crafted roomAction requests. It ...

Flowise version 1.4.3 has a CORS misconfiguration that allows arbitrary origins to connect to the website, potentially enabling cross-origin attacks. ...

This vulnerability in WebKitGTK allows attackers to trick users into dragging files from their local system into a malicious webpage, which can then r...

SEL-5037 Grid Configurator contains an overly permissive CORS configuration that allows unauthorized cross-origin requests to its data gateway API. Th...

A CORS misconfiguration in Danswer AI v1.4.1 allows malicious websites to make unauthorized cross-origin requests to the application's API, potentiall...

A CORS misconfiguration in feast-dev/feast version 0.40.0 allows any external domain to make requests to the agentscope server API, bypassing intended...

An origin validation vulnerability in BIG-IP APM browser network access VPN client allows attackers to bypass F5 endpoint inspection. This affects Win...

This CVE describes an origin validation error in Akinsoft LimonDesk that allows forceful browsing attacks. Attackers can bypass intended access contro...

This CVE describes a CSRF vulnerability in Go applications using TrustedOrigins where network attackers can bypass same-origin checks. Applications th...

CVE-2021-46701 is a WebSocket transport vulnerability in PreMiD 2.2.0 that allows unauthorized access to socket events. Attackers can intercept and ma...

CVE-2024-10956 is a Cross-Site WebSocket Hijacking vulnerability in GPT Academy version 3.83 that allows attackers to hijack WebSocket connections bet...

A CORS misconfiguration in lollms-webui allows attackers to steal sensitive information like logs, browser sessions, and settings containing private A...

An origin validation error in Juniper EX4600 and QFX5000 Series devices allows attackers with physical access to create persistent backdoors when no r...

This vulnerability allows authenticated attackers on the same network as UniFi Protect Cameras to bypass firmware validation and make unauthorized sys...

This vulnerability in the Linux kernel allows bypassing lockdown mode when IMA appraisal is configured with 'ima_appraise=log' boot parameter and Secu...

This CVE describes a CSRF vulnerability in React Router and Remix that allows attackers to trick authenticated users into submitting malicious POST re...

This CVE describes a same-origin policy bypass vulnerability in Firefox and Thunderbird's request handling component. It allows malicious websites to ...

A logic error in CrowdStrike Falcon sensor for Windows allows attackers with existing code execution on a host to delete arbitrary files. Only Windows...

CVE-2025-56648 is an Origin Validation Error vulnerability in Parcel development servers that allows malicious websites to make cross-origin requests ...

Webpack-dev-server versions before 5.2.1 have a Cross-Site WebSocket Hijacking vulnerability that allows malicious websites to steal source code from ...

This vulnerability in AliasVault Android app allows a malicious local app to potentially obtain passkey responses for websites it shouldn't have acces...

This vulnerability in IBM Engineering Requirements Management Doors Next allows authenticated users to spoof email sender identities due to improper s...

This vulnerability in Synology BeeDrive desktop software allows local users to write arbitrary files containing non-sensitive information due to an or...

Nitro PDF Pro for Windows before version 14.42.0.34 displays signer information from unverified PDF fields instead of verified certificate subjects. T...

A CORS misconfiguration vulnerability in Q-Free MaxTime allows attackers to bypass origin validation and perform cross-origin attacks. This affects al...

This vulnerability in MySQL Server's InnoDB component allows authenticated high-privileged attackers to cause denial of service (server crashes/hangs)...

This vulnerability allows a remote attacker to bypass the Mark of the Web security feature in Google Chrome on Windows by tricking users into visiting...

This vulnerability in Oracle JD Edwards EnterpriseOne Tools allows authenticated attackers with low privileges to manipulate business logic via HTTP r...

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning due to improper validation of the Origin HTTP header. This could allow attacke...

This vulnerability in flask-cors 4.0.1 causes inconsistent CORS policy matching due to improper URL path normalization where '+' characters are conver...

This vulnerability in FORT RPKI validator allows attackers to serve outdated RPKI manifests, causing the system to accept invalid or revoked BGP route...

This vulnerability in kodbox v1.52.04 and earlier allows remote attackers to obtain sensitive information through the captcha feature in the password ...

This vulnerability allows attackers to obscure the origin of external protocol handler prompts using data: URLs within iframes, potentially tricking u...

This vulnerability in Conduit's federation API allows remote servers to impersonate users from any server in most EDU (Education) environments due to ...

This CVE allows authenticated IPSec VPN users with dynamic IP addressing to send spoofed packets appearing to come from other VPN users. It affects Fo...

This CVE describes an origin validation error in Akinsoft OctoCloud that allows HTTP response splitting attacks. Attackers can inject malicious header...

A local privilege bypass vulnerability in Palo Alto Networks Cortex XDR agent on Windows allows low-privileged users to disrupt some agent functionali...

An origin validation error in Kibana's Observability AI Assistant allows attackers to perform Server-Side Request Forgery (SSRF) by forging the Origin...

An unauthenticated attacker on the same wireless network can inject fake Device Analytics action frames into Cisco Wireless Access Points. This could ...

This CVE describes an intent redirection vulnerability in Xiaomi's Quick App framework that allows attackers to redirect app intents to malicious comp...

MSA FieldServer Gateway versions 5.0.0 through 6.5.2 have a cross-origin WebSocket hijacking vulnerability that allows attackers to establish WebSocke...

The Proctorio Chrome Extension vulnerability allows malicious websites to send messages that the extension processes without verifying the sender's or...

This CVE describes an authentication bypass vulnerability in Johnson Controls building automation systems where packet source verification is missing....