CWE-346 608 個 CVE MITRE 定義 ↗

CWE-346:Origin Validation Error

概覽

CWE-346(Origin Validation Error)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not properly verify that the source of data or communication is valid.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined
technology Web Based Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-56181 2026-07-14 Origin validation error in Windows Network Address Translation (NAT) allows an unauthorized attacker to perform spoofing over an adjacent network.
CVE-2026-15076 2026-07-14 In versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie resp…
CVE-2026-15075 2026-07-14 In Eclipse Vert.x versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), DefaultRedirectHandler (vertx-core) propagates all request headers as-is across cross-origin HTTP 30x redirec…
CVE-2026-55669 2026-07-10 ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer (iss) but not the audience (aud) c…
CVE-2026-59208 2026-07-09 n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identit…
CVE-2026-59723 2026-07-08 Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on…
CVE-2026-59883 2026-07-08 Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matc…
CVE-2026-55438 2026-07-07 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the sa…
CVE-2026-59153 2026-07-07 Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other orig…
CVE-2026-58266 2026-07-07 Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via i…
CVE-2026-34198 2026-07-07 Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting …
CVE-2026-42341 2026-07-06 FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When …
CVE-2026-59152 2026-07-06 LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can…
CVE-2026-59096 2026-07-02 Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header w…
CVE-2026-55660 2026-07-01 Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and…
CVE-2026-56277 2026-06-30 Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent…
CVE-2026-14105 2026-06-30 Insufficient policy enforcement in Speech in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14079 2026-06-30 Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14057 2026-06-30 Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14053 2026-06-30 Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML pa…

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-05-27 CWE Content Team 1.4 updated Related_Attack_Patterns
2010-12-13 CWE Content Team 1.11 updated Related_Attack_Patterns
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Related_Attack_Patterns, Relationships
2014-02-18 CWE Content Team 2.6 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes
2014-06-23 CWE Content Team 2.7 updated Related_Attack_Patterns
2014-07-30 CWE Content Team 2.8 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, References, Relationships
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-06-25 CWE Content Team 4.1 updated Demonstrative_Examples, Terminology_Notes
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-04-28 CWE Content Team 4.7 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description, Type
2023-04-27 CWE Content Team 4.11 updated Relationships, Taxonomy_Mappings
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2024-02-29 CWE Content Team 4.14 updated Taxonomy_Mappings
2024-11-19 CWE Content Team 4.16 updated References
2025-09-09 CWE Content Team 4.18 updated Observed_Examples
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Detection_Factors, Relationships

貢獻

類型 名稱 日期 評論
Content "Mapping CWE to 62443" Sub-Working Group 2023-04-25 Suggested mappings to ISA/IEC 62443.
cvelogic Threat Intelligence