CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-46342 | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0… |
| CVE-2026-42960 | 2026-05-20 | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority sect… |
| CVE-2026-44572 | 2026-05-13 | Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path hand… |
| CVE-2026-32162 | 2026-04-14 | Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally. |
| CVE-2026-35641 | 2026-04-10 | OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git … |
| CVE-2026-1642 | 2026-02-04 | A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream ser… |
| CVE-2025-68269 | 2025-12-16 | In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH |
| CVE-2025-1680 | 2025-10-23 | An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Hos… |
| CVE-2025-40778 | 2025-10-22 | Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.… |
| CVE-2025-11411 | 2025-10-22 | NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used t… |
| CVE-2025-11703 | 2025-10-18 | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 9.0.48. This is due to the plugin not serving cached data from serv… |
| CVE-2025-5994 | 2025-07-16 | A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS… |
| CVE-2025-40776 | 2025-07-16 | A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9… |
| CVE-2025-48804 | 2025-07-08 | Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
| CVE-2025-46339 | 2025-06-04 | FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disab… |
| CVE-2025-20255 | 2025-05-21 | A vulnerability in client join services of Cisco Webex Meetings could allow an unauthenticated, remote attacker to manipulate cached HTTP responses within the meeting join service. This vulnerabili… |
| CVE-2025-29842 | 2025-05-13 | Acceptance of extraneous untrusted data with trusted data in UrlMon allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2025-29816 | 2025-04-08 | Improper input validation in Microsoft Office Word allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2025-27415 | 2025-03-19 | Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache … |
| CVE-2024-53848 | 2024-11-29 | check-jsonschema is a CLI and set of pre-commit hooks for jsonschema validation. The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://exa… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Taxonomy_Mappings |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Relationships, Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Observed_Examples, Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Modes_of_Introduction, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |