Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-58593

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-01 Jul, 2026 | 19:27
Updated At-02 Jul, 2026 | 15:08
Rejected At-
Credits

NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:01 Jul, 2026 | 19:27
Updated At:02 Jul, 2026 | 15:08
Rejected At:
▼CVE Numbering Authority (CNA)
NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

Affected Products
Vendor
NodeBB
Product
NodeBB
Default Status
affected
Versions
Affected
  • 4.13.2
Problem Types
TypeCWE IDDescription
CWECWE-345Insufficient Verification of Data Authenticity
CWECWE-290Authentication Bypass by Spoofing
Type: CWE
CWE ID: CWE-345
Description: Insufficient Verification of Data Authenticity
Type: CWE
CWE ID: CWE-290
Description: Authentication Bypass by Spoofing
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-poc
exploit
https://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.js
product
https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user
third-party-advisory
Hyperlink: https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-poc
Resource:
exploit
Hyperlink: https://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.js
Resource:
product
Hyperlink: https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:01 Jul, 2026 | 20:17
Updated At:02 Jul, 2026 | 19:42

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
N/A
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

nodebb
nodebb
>>nodebb>>Versions up to 4.13.2(inclusive)
cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-290Secondarydisclosure@vulncheck.com
CWE-345Secondarydisclosure@vulncheck.com
CWE ID: CWE-290
Type: Secondary
Source: disclosure@vulncheck.com
CWE ID: CWE-345
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.jsdisclosure@vulncheck.com
Exploit
Third Party Advisory
https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-pocdisclosure@vulncheck.com
Exploit
Third Party Advisory
https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-userdisclosure@vulncheck.com
Exploit
Third Party Advisory
Hyperlink: https://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.js
Source: disclosure@vulncheck.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-poc
Source: disclosure@vulncheck.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user
Source: disclosure@vulncheck.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

82Records found

CVE-2026-8960
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.55%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 12:29
Updated-19 May, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spoofing issue in WebExtensions

Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Action-Not Available
Vendor-Mozilla Corporation
Product-FirefoxThunderbird
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-8963
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.30% / 22.06%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 12:30
Updated-20 May, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spoofing issue in the Web Speech component

Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxThunderbird
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2020-14116
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.68%
||
7 Day CHG~0.00%
Published-21 Apr, 2022 | 17:22
Updated-04 Aug, 2024 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this.

Action-Not Available
Vendor-n/aXiaomi
Product-mi_browserMi Browser
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2026-47777
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.17% / 6.35%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 16:54
Updated-16 Jun, 2026 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mastodon has a consent-check bypass in its remote Collections

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.

Action-Not Available
Vendor-mastodon
Product-mastodon
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-46356
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.28% / 19.40%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 19:03
Updated-18 May, 2026 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fleet: IP spoofing allows bypassing API rate limiting

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.

Action-Not Available
Vendor-fleetdmfleetdm
Product-fleetfleet
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-45022
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7||HIGH
EPSS-0.16% / 5.50%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:54
Updated-04 Jun, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.

Action-Not Available
Vendor-go-git_projectgo-git
Product-go-gitgo-git
CWE ID-CWE-180
Incorrect Behavior Order: Validate Before Canonicalize
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2025-27916
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.69%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 00:00
Updated-08 Dec, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in AnyDesk for Windows before 9.0.6 and AnyDesk for Android before 8.0.0. When the connection between two clients is established via an IP address, it is possible to manipulate the data and spoof the AnyDesk ID.

Action-Not Available
Vendor-anydeskn/a
Product-anydeskn/a
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2022-23491
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.53% / 41.16%
||
7 Day CHG~0.00%
Published-07 Dec, 2022 | 21:15
Updated-23 Apr, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Removal of TrustCor root certificate

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Action-Not Available
Vendor-certificertifiNetApp, Inc.
Product-certifimanagement_services_for_netapp_hcimanagement_services_for_element_softwaree-series_performance_analyzerpython-certifi
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2022-2255
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.69% / 48.26%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 17:26
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

Action-Not Available
Vendor-modwsgin/aDebian GNU/Linux
Product-debian_linuxmod_wsgimod_wsgi
CWE ID-CWE-348
Use of Less Trusted Source
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2022-2324
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-0.53% / 41.02%
||
7 Day CHG~0.00%
Published-29 Jul, 2022 | 21:05
Updated-31 Oct, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. This vulnerability impacts 10.0.17.7319 and earlier versions

Action-Not Available
Vendor-SonicWall Inc.
Product-hosted_email_securitySonicWall Email Security
CWE ID-CWE-290
Authentication Bypass by Spoofing
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CVE-2026-42575
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.16% / 5.46%
||
7 Day CHG~0.00%
Published-09 May, 2026 | 19:26
Updated-13 May, 2026 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.

Action-Not Available
Vendor-chainguard-dev
Product-apko
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-494
Download of Code Without Integrity Check
CVE-2021-46559
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.44% / 35.02%
||
7 Day CHG~0.00%
Published-26 Jan, 2022 | 01:11
Updated-04 Aug, 2024 | 05:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The firmware on Moxa TN-5900 devices through 3.1 has a weak algorithm that allows an attacker to defeat an inspection mechanism for integrity protection.

Action-Not Available
Vendor-n/aMoxa Inc.
Product-tn-5900_firmwaretn-5900n/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2026-42674
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.40%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 15:22
Updated-01 Jun, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Access Manager plugin <= 7.1.0 - Bypass Vulnerability vulnerability

Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0.

Action-Not Available
Vendor-AAM Plugin
Product-Advanced Access Manager
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-41577
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.17% / 6.60%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 17:12
Updated-04 Jun, 2026 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
authentik: SAML source does not validate Conditions, timing, or audience on assertions

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3.

Action-Not Available
Vendor-goauthentikgoauthentik
Product-authentikauthentik
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2023-37920
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.47% / 37.18%
||
7 Day CHG-0.00%
Published-25 Jul, 2023 | 20:45
Updated-05 Mar, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Certifi's removal of e-Tugra root certificate

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Action-Not Available
Vendor-certificertifiFedora ProjectNetApp, Inc.
Product-fedoraactive_iq_unified_managerontap_mediatormanagement_services_for_element_softwareontap_select_deploy_administration_utilitymanagement_services_for_netapp_hcicertifisolidfire_\&_hci_storage_nodepython-certifi
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2025-14327
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 25.79%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 13:38
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spoofing issue in the Downloads Panel component

Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefox
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-3902
Matching Score-4
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Matching Score-4
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-0.44% / 34.98%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:22
Updated-13 Apr, 2026 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ASGI header spoofing via underscore/hyphen conflation

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-35042
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.15% / 5.06%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 17:02
Updated-10 Apr, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

Action-Not Available
Vendor-nearformnearform
Product-fast-jwtfast-jwt
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-636
Not Failing Securely ('Failing Open')
CVE-2026-33661
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.50% / 39.27%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 21:05
Updated-01 Apr, 2026 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.

Action-Not Available
Vendor-yansongdayansongda
Product-paypay
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-32597
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.27% / 18.47%
||
7 Day CHG+0.07%
Published-12 Mar, 2026 | 21:41
Updated-01 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

Action-Not Available
Vendor-pyjwt_projectjpadillaRed Hat, Inc.
Product-pyjwtpyjwtRed Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)Red Hat Enterprise Linux High Availability EUS (v.9.4)Red Hat Enterprise Linux AppStream (v. 10)Red Hat AI Inference Server 3.3Red Hat Enterprise Linux AI 3.3Red Hat Satellite 6.18Red Hat Quay 3.16Red Hat Ansible Automation Platform 2.5Red Hat Satellite 6Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Enterprise Linux AppStream (v. 9)Red Hat Quay 3.10Red Hat OpenShift AI (RHOAI)Red Hat Quay 3.15Red Hat Enterprise Linux HighAvailability (v. 8)Red Hat AI Inference ServerRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Enterprise Linux AppStream (v. 8)Red Hat OpenShift AI 3.3Red Hat Quay 3.9Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Ansible Automation Platform 2.6Red Hat Trusted Artifact Signer 1.4Red Hat Enterprise Linux ResilientStorage (v. 8)Red Hat Trusted Artifact SignerRed Hat Ansible Automation Platform 2Red Hat Enterprise Linux High Availability E4S (v.9.2)Red Hat Quay 3.12OpenShift LightspeedRed Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat OpenShift AI 2.25Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-33143
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.18% / 8.00%
||
7 Day CHG~0.00%
Published-20 Mar, 2026 | 20:05
Updated-24 Mar, 2026 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OneUptime: WhatsApp Webhook Missing Signature Verification

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.

Action-Not Available
Vendor-hackerbayOneUptime
Product-oneuptimeoneuptime
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2026-32666
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.33% / 24.64%
||
7 Day CHG~0.00%
Published-20 Mar, 2026 | 23:17
Updated-23 Mar, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated AutomatedLogic controllers. Spoofed packets may be processed as legitimate.

Action-Not Available
Vendor-Automated Logic
Product-WebCTRL Premium Server
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2023-30464
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.40% / 32.42%
||
7 Day CHG~0.00%
Published-18 Sep, 2024 | 00:00
Updated-10 Jul, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

Action-Not Available
Vendor-coredns.ion/acoredns.io
Product-corednsn/acoredns
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2019-15022
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-1.07% / 60.70%
||
7 Day CHG~0.00%
Published-09 Oct, 2019 | 20:20
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that allows for the Inspector to be susceptible to ARP spoofing.

Action-Not Available
Vendor-zingboxn/a
Product-inspectorPalo Alto Networks Zingbox Inspector
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2023-23941
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.47%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 20:26
Updated-10 Mar, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SwagPayPal payment not sent to PayPal correctly

SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order. The problem has been fixed with version 5.4.4. As a workaround, disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21.

Action-Not Available
Vendor-shopwareshopware
Product-swagpaypalSwagPayPal
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2021-42308
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-3.1||LOW
EPSS-1.12% / 62.31%
||
7 Day CHG~0.00%
Published-24 Nov, 2021 | 01:05
Updated-04 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Spoofing Vulnerability

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-edge_chromiumMicrosoft Edge (Chromium-based)
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-28465
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.2||HIGH
EPSS-0.37% / 29.37%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 21:59
Updated-11 Mar, 2026 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.

Action-Not Available
Vendor-OpenClaw
Product-openclawvoice-call
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-28454
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.2||HIGH
EPSS-0.26% / 16.80%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 21:59
Updated-09 Mar, 2026 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2021-4031
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-7.5||HIGH
EPSS-0.46% / 36.46%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 17:59
Updated-16 Sep, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Syltek Insufficient Verification of Data Authenticity

Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it. This could allow an attacker to forge a request and bypass the payment system by marking items as payed without any verification.

Action-Not Available
Vendor-syltekSyltek
Product-syltekSyltek
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2026-27089
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.27% / 18.27%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-16 Jun, 2026 | 12:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WpTravelly plugin <= 2.1.7 - Bypass Vulnerability vulnerability

Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.

Action-Not Available
Vendor-Magepeople inc.
Product-WpTravelly
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-25474
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.20% / 9.95%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 02:38
Updated-19 Feb, 2026 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions. Note: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured. This issue has been fixed in version 2026.2.1.

Action-Not Available
Vendor-OpenClaw
Product-openclawopenclaw
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2026-24372
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.46% / 36.86%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerability

Authentication Bypass by Spoofing vulnerability in WP Swings Subscriptions for WooCommerce subscriptions-for-woocommerce allows Input Data Manipulation.This issue affects Subscriptions for WooCommerce: from n/a through <= 1.8.10.

Action-Not Available
Vendor-WP Swings
Product-Subscriptions for WooCommerce
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-2428
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.14% / 3.64%
||
7 Day CHG~0.00%
Published-27 Feb, 2026 | 03:23
Updated-08 Apr, 2026 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

Action-Not Available
Vendor-techjewel
Product-Fluent Forms Pro Add On Pack
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2023-5133
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.55% / 41.94%
||
7 Day CHG~0.00%
Published-16 Oct, 2023 | 19:39
Updated-23 Apr, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log Pro < 2.3.4 - IP Spoofing

This user-activity-log-pro WordPress plugin before 2.3.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

Action-Not Available
Vendor-solwininfotechUnknown
Product-user_activity_loguser-activity-log-pro
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2022-4746
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.66%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 14:31
Updated-02 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FluentAuth < 1.0.2 - Bypass blocks by IP Spoofing

The FluentAuth WordPress plugin before 1.0.2 prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass the IP-based blocks set by the plugin.

Action-Not Available
Vendor-wpmanageninjaUnknown
Product-fluentauthFluentAuth
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2022-46370
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-7.3||HIGH
EPSS-0.22% / 13.04%
||
7 Day CHG~0.00%
Published-12 Jan, 2023 | 00:00
Updated-08 Apr, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rumpus - FTP server Improper Token Verification

Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification.

Action-Not Available
Vendor-maxumRumpus
Product-rumpusFTP server
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2022-4550
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.66% / 46.97%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 15:24
Updated-18 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity <= 1.0.1 - IP Spoofing

The User Activity WordPress plugin through 1.0.1 checks headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing

Action-Not Available
Vendor-user_activity_projectUnknown
Product-user_activityUser Activity
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2023-4279
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.85% / 53.76%
||
7 Day CHG~0.00%
Published-04 Sep, 2023 | 11:27
Updated-23 Apr, 2025 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log < 1.6.7 - IP Spoofing

This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

Action-Not Available
Vendor-solwininfotechUnknown
Product-user_activity_logUser Activity Log
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2022-36360
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.25% / 16.30%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 10:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Affected devices load firmware updates without checking the authenticity. Furthermore the integrity of the unencrypted firmware is only verified by a non-cryptographic method. This could allow an attacker to manipulate a firmware update and flash it to the device.

Action-Not Available
Vendor-Siemens AG
Product-logo\!8_bm_fs-05logo\!8_bm_fs-05_firmwarelogo\!_8_bm_firmwarelogo\!8_bmLOGO! 8 BM (incl. SIPLUS variants)
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-354
Improper Validation of Integrity Check Value
CVE-2022-34689
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-7.5||HIGH
EPSS-37.93% / 98.37%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-02 Jan, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows CryptoAPI Spoofing Vulnerability

Windows CryptoAPI Spoofing Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_server_2012windows_8.1windows_rt_8.1windows_7windows_11windows_10windows_server_2022windows_server_2019windows_server_2008Windows Server 2022Windows 10 Version 1607Windows 10 Version 21H1Windows Server 2019 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1809Windows Server 2016 (Server Core installation)Windows 11 version 21H2Windows 8.1Windows 7Windows Server 2012 (Server Core installation)Windows 7 Service Pack 1Windows 10 Version 20H2Windows Server 2016Windows 10 Version 1507Windows 10 Version 21H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2012 R2Windows Server 2019Windows Server 2012Windows Server 2008 Service Pack 2Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2024-47867
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.1||LOW
EPSS-0.21% / 10.92%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 22:19
Updated-15 Nov, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of integrity check on the downloaded FRP client in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.

Action-Not Available
Vendor-gradio_projectgradio-app
Product-gradiogradio
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2024-45410
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.51% / 71.39%
||
7 Day CHG+0.01%
Published-19 Sep, 2024 | 22:51
Updated-25 Sep, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP client can remove the X-Forwarded headers in Traefik

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-traefiktraefiktraefik
Product-traefiktraefiktraefik
CWE ID-CWE-348
Use of Less Trusted Source
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2025-59420
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.24% / 15.51%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 17:28
Updated-03 Nov, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

Action-Not Available
Vendor-authlibauthlib
Product-authlibauthlib
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-39689
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.05% / 60.06%
||
7 Day CHG~0.00%
Published-05 Jul, 2024 | 18:39
Updated-15 Feb, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Certifi removes GLOBALTRUST root certificate

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

Action-Not Available
Vendor-certificertifiNetApp, Inc.
Product-ontap_toolscertifiontap_select_deploy_administration_utilitymanagement_services_for_element_software_and_netapp_hcipython-certifi
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2022-28370
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.14%
||
7 Day CHG~0.00%
Published-14 Jul, 2022 | 12:29
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 devices, the RPC endpoint crtc_fw_upgrade provides a means of provisioning a firmware update for the device. /lib/functions/wnc_jsonsh/wnc_crtc_fw.sh has no cryptographic validation of the image, thus allowing an attacker to modify the installed firmware.

Action-Not Available
Vendor-n/aVerizon Communications, Inc
Product-lvskihp_outdoorunitlvskihp_outdoorunit_firmwaren/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2022-29218
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-1.14% / 62.75%
||
7 Day CHG~0.00%
Published-12 May, 2022 | 23:55
Updated-22 Apr, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized takeover for new versions of some platform-specific gems

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue.

Action-Not Available
Vendor-rubygemsrubygems
Product-rubygems.orgrubygems.org
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-290
Authentication Bypass by Spoofing
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-28856
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.47% / 82.58%
||
7 Day CHG~0.00%
Published-14 Dec, 2020 | 17:59
Updated-04 Aug, 2024 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly determine the HTTP request's originating IP address, allowing attackers to spoof it using X-Forwarded-For in the header, by supplying localhost address such as 127.0.0.1, effectively bypassing all IP address based access controls.

Action-Not Available
Vendor-openassetn/a
Product-digital_asset_managementn/a
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2020-10831
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.23% / 13.47%
||
7 Day CHG~0.00%
Published-24 Mar, 2020 | 17:05
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Attackers can trigger an update to arbitrary touch-screen firmware. The Samsung ID is SVE-2019-16013 (March 2020).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-25019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.02% / 59.26%
||
7 Day CHG~0.00%
Published-29 Aug, 2020 | 16:07
Updated-17 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jitsi-meet-electron (aka Jitsi Meet Electron) before 2.3.0 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.

Action-Not Available
Vendor-jitsin/a
Product-meet_electronn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-22660
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.27%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to force bypass Secure Boot failed attempts and run temporarily the previous Backup image.

Action-Not Available
Vendor-ruckuswirelessn/a
Product-zonedirector_3000zonedirector_1200_firmwaret300_firmwarescg200_firmwarer600sz-100_firmwarevszvsz_firmwarer310_firmwarer600_firmwarer500_firmwarezonedirector_1100r500zonedirector_5000t301szonedirector_1100_firmwaret301s_firmwarer310zonedirector_3000_firmwarezonedirector_5000_firmwaret300scg200sz-300_firmwaresz-100zonedirector_1200t301n_firmwaresz-300t301nn/a
CWE ID-CWE-290
Authentication Bypass by Spoofing
  • Previous
  • 1
  • 2
  • Next
Details not found