CWE-940(Improper Verification of Source of a Communication Channel)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Mobile | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-54106 | 2026-06-18 | The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-F… |
| CVE-2026-48745 | 2026-06-17 | Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silentl… |
| CVE-2026-44894 | 2026-06-12 | Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Fin… |
| CVE-2026-44698 | 2026-05-29 | Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and i… |
| CVE-2026-45353 | 2026-05-28 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0. |
| CVE-2026-2611 | 2026-05-19 | In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests fro… |
| CVE-2026-45245 | 2026-05-18 | Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension… |
| CVE-2026-43880 | 2026-05-11 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter … |
| CVE-2026-23866 | 2026-05-01 | Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigge… |
| CVE-2026-40434 | 2026-04-17 | Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic. |
| CVE-2026-35643 | 2026-04-10 | OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute… |
| CVE-2026-33875 | 2026-03-27 | Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to… |
| CVE-2019-25613 | 2026-03-22 | Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Attackers can establish a sess… |
| CVE-2026-2967 | 2026-02-22 | A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulati… |
| CVE-2026-22269 | 2026-02-19 | Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remot… |
| CVE-2025-62439 | 2026-02-10 | An Improper Verification of Source of a Communication Channel vulnerability [CWE-940] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, Fort… |
| CVE-2025-40820 | 2025-12-09 | Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This could allow an unauthenticated remote attacker e.g. to inter… |
| CVE-2025-13086 | 2025-12-03 | Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiat… |
| CVE-2024-32388 | 2025-12-01 | Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based se… |
| CVE-2025-61932 | 2025-10-20 | Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending sp… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, References, Relationships |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Demonstrative_Examples, Potential_Mitigations |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Potential_Mitigations |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Related_Attack_Patterns |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Common_Consequences, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Observed_Examples |