CWE-348
Use of Less Trusted Source
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
CVE-2025-48825 (GCVE-0-2025-48825)
Vulnerability from cvelistv5 – Published: 2025-06-13 08:19 – Updated: 2025-06-23 16:07
VLAI
Summary
RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade requests and execute a malicious DLL with custom code.
Severity
CWE
- CWE-348 - Use of less trusted source
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ricoh Company, Ltd. | RICOH Streamline NX V3 PC Client |
Affected:
versions 3.5.0 to 3.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T15:05:23.850151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T16:07:13.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RICOH Streamline NX V3 PC Client",
"vendor": "Ricoh Company, Ltd.",
"versions": [
{
"status": "affected",
"version": "versions 3.5.0 to 3.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade requests and execute a malicious DLL with custom code."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "Use of less trusted source",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T08:19:06.089Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000006"
},
{
"url": "https://jvn.jp/en/jp/JVN27937557/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-48825",
"datePublished": "2025-06-13T08:19:06.089Z",
"dateReserved": "2025-06-12T01:53:37.255Z",
"dateUpdated": "2025-06-23T16:07:13.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48865 (GCVE-0-2025-48865)
Vulnerability from cvelistv5 – Published: 2025-05-30 06:14 – Updated: 2025-05-30 12:24
VLAI
Title
Fabio allows HTTP clients to manipulate custom headers it adds
Summary
Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.
Severity
9.1 (Critical)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fabiolb/fabio/security/advisor… | x_refsource_CONFIRM |
| https://github.com/fabiolb/fabio/commit/fdaf1e966… | x_refsource_MISC |
| https://github.com/fabiolb/fabio/releases/tag/v1.6.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48865",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T12:24:13.107794Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T12:24:19.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabio",
"vendor": "fabiolb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T06:14:45.819Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf"
},
{
"name": "https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3"
},
{
"name": "https://github.com/fabiolb/fabio/releases/tag/v1.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fabiolb/fabio/releases/tag/v1.6.6"
}
],
"source": {
"advisory": "GHSA-q7p4-7xjv-j3wf",
"discovery": "UNKNOWN"
},
"title": "Fabio allows HTTP clients to manipulate custom headers it adds"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48865",
"datePublished": "2025-05-30T06:14:45.819Z",
"dateReserved": "2025-05-27T20:14:34.294Z",
"dateUpdated": "2025-05-30T12:24:19.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53522 (GCVE-0-2025-53522)
Vulnerability from cvelistv5 – Published: 2025-08-20 04:22 – Updated: 2025-08-20 16:00
VLAI
Summary
Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker.
Severity
5.3 (Medium)
CWE
- CWE-348 - Use of less trusted source
Assigner
References
2 references
Impacted products
12 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T16:00:10.875489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T16:00:35.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.0.0 to 8.0.6"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.2 (8 series)"
}
]
},
{
"product": "Movable Type (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "7 r.5508 and earlier (7 series)"
}
]
},
{
"product": "Movable Type Advanced (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.0.0 to 8.0.6"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.2 (8 series)"
}
]
},
{
"product": "Movable Type Advanced (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "7 r.5508 and earlier (7 series)"
}
]
},
{
"product": "Movable Type Premium (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.09 and earlier (2 series)"
}
]
},
{
"product": "Movable Type Premium (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.66 and earlier (1 series)"
}
]
},
{
"product": "Movable Type Premium (Advanced Edition) (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.09 and earlier (2 series)"
}
]
},
{
"product": "Movable Type Premium (Advanced Edition) (Software Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.66 and earlier (1 series)"
}
]
},
{
"product": "Movable Type (Cloud Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.6.0 (8 series)"
}
]
},
{
"product": "Movable Type (Cloud Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "7 r.5508 (7 series)"
}
]
},
{
"product": "Movable Type Premium (Cloud Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.09 (2 series)"
}
]
},
{
"product": "Movable Type Premium (Cloud Edition)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.66 (1 series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "Use of less trusted source",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T04:22:51.144Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2025/08/mt-843-released.html"
},
{
"url": "https://jvn.jp/en/jp/JVN76729865/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-53522",
"datePublished": "2025-08-20T04:22:51.144Z",
"dateReserved": "2025-08-14T05:29:32.466Z",
"dateUpdated": "2025-08-20T16:00:35.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55292 (GCVE-0-2025-55292)
Vulnerability from cvelistv5 – Published: 2026-01-27 23:28 – Updated: 2026-01-28 15:10
VLAI
Title
In Meshtastic, an attacker can spoof licensed amateur flag for a node
Summary
Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.
Severity
8.2 (High)
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/meshtastic/firmware/security/a… | x_refsource_CONFIRM |
| https://github.com/meshtastic/firmware/commit/e5e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| meshtastic | firmware |
Affected:
<= 2.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55292",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:10:33.593847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:10:48.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "firmware",
"vendor": "meshtastic",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn\u0027t use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn\u0027t provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T23:28:28.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/meshtastic/firmware/security/advisories/GHSA-45vg-3f35-7ch2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-45vg-3f35-7ch2"
},
{
"name": "https://github.com/meshtastic/firmware/commit/e5e8683cdba133e726033101586c3235a8678893",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/meshtastic/firmware/commit/e5e8683cdba133e726033101586c3235a8678893"
}
],
"source": {
"advisory": "GHSA-45vg-3f35-7ch2",
"discovery": "UNKNOWN"
},
"title": "In Meshtastic, an attacker can spoof licensed amateur flag for a node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55292",
"datePublished": "2026-01-27T23:28:28.962Z",
"dateReserved": "2025-08-12T16:15:30.237Z",
"dateUpdated": "2026-01-28T15:10:48.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58422 (GCVE-0-2025-58422)
Vulnerability from cvelistv5 – Published: 2025-09-08 04:43 – Updated: 2025-09-08 18:38
VLAI
Summary
RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product’s management tool.
Severity
CWE
- CWE-348 - Use of less trusted source
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ricoh Company, Ltd. | RICOH Streamline NX |
Affected:
versions 3.5.1 to 24R3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T18:38:37.632565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T18:38:49.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RICOH Streamline NX",
"vendor": "Ricoh Company, Ltd.",
"versions": [
{
"status": "affected",
"version": "versions 3.5.1 to 24R3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product\u2019s management tool."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "Use of less trusted source",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T04:43:01.703Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000010"
},
{
"url": "https://jvn.jp/en/jp/JVN75307484/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-58422",
"datePublished": "2025-09-08T04:43:01.703Z",
"dateReserved": "2025-09-03T06:29:41.944Z",
"dateUpdated": "2025-09-08T18:38:49.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59951 (GCVE-0-2025-59951)
Vulnerability from cvelistv5 – Published: 2025-10-01 21:52 – Updated: 2025-10-06 18:33
VLAI
Title
Termix' official Docker image contains an authentication bypass vulnerability
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy's IP instead of the client's IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system's stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0.
Severity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LukeGus/Termix/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LukeGus/Termix/pull/221 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59951",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:33:33.661457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:33:37.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "LukeGus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy\u0027s IP instead of the client\u0027s IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system\u0027s stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:52:01.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94"
},
{
"name": "https://github.com/LukeGus/Termix/pull/221",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LukeGus/Termix/pull/221"
}
],
"source": {
"advisory": "GHSA-92cw-877q-6r94",
"discovery": "UNKNOWN"
},
"title": "Termix\u0027 official Docker image contains an authentication bypass vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59951",
"datePublished": "2025-10-01T21:52:01.232Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-10-06T18:33:37.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-69240 (GCVE-0-2025-69240)
Vulnerability from cvelistv5 – Published: 2026-03-16 11:53 – Updated: 2026-03-16 13:49 X_Open Source
VLAI
Title
Header Poisoning in Raytha CMS
Summary
Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account.
This issue was fixed in version 1.4.6.
Severity
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/03/CVE-2025-69236 | third-party-advisory |
| https://raytha.com | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T13:38:23.906395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T13:49:56.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Raytha",
"repo": "https://github.com/raythahq/raytha",
"vendor": "Raytha",
"versions": [
{
"lessThan": "1.4.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Basta"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u0026nbsp;can force the server to send an email with\u0026nbsp;password reset link pointing to the domain from spoofed header. When victim clicks the link,\u0026nbsp;browser sends request to the attacker\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u0026nbsp;over the victim\u0027s account.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.4.6.\u003cbr\u003e"
}
],
"value": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u00a0can force the server to send an email with\u00a0password reset link pointing to the domain from spoofed header. When victim clicks the link,\u00a0browser sends request to the attacker\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u00a0over the victim\u0027s account.\n\nThis issue was fixed in version 1.4.6."
}
],
"impacts": [
{
"capecId": "CAPEC-50",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-50 Password Recovery Exploitation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T11:53:41.514Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236"
},
{
"tags": [
"product"
],
"url": "https://raytha.com"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Header Poisoning in Raytha CMS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-69240",
"datePublished": "2026-03-16T11:53:41.514Z",
"dateReserved": "2025-12-30T08:44:21.410Z",
"dateUpdated": "2026-03-16T13:49:56.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22201 (GCVE-0-2026-22201)
Vulnerability from cvelistv5 – Published: 2026-03-13 01:18 – Updated: 2026-03-13 16:09
VLAI
Title
wpDiscuz before 7.6.47 - IP Address Spoofing in getIP()
Summary
wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls.
Severity
5.3 (Medium)
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/wpdiscuz/#developers | patch |
| https://wordpress.org/plugins/wpdiscuz/ | product |
| https://www.vulncheck.com/advisories/wpdiscuz-bef… | third-party-advisory |
Impacted products
Date Public
2026-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:09:13.732671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:09:19.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:wordpress-plugin/wpdiscuz",
"product": "wpDiscuz",
"vendor": "gVectors",
"versions": [
{
"lessThan": "7.6.47",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "7.6.47"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*",
"versionEndExcluding": "7.6.47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Moore - VulnCheck"
}
],
"datePublic": "2026-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T01:18:07.476Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "wpDiscuz Changelog",
"tags": [
"patch"
],
"url": "https://wordpress.org/plugins/wpdiscuz/#developers"
},
{
"name": "wpDiscuz",
"tags": [
"product"
],
"url": "https://wordpress.org/plugins/wpdiscuz/"
},
{
"name": "VulnCheck Advisory: wpDiscuz before 7.6.47 - IP Address Spoofing in getIP()",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wpdiscuz-before-ip-address-spoofing-in-getip"
}
],
"title": "wpDiscuz before 7.6.47 - IP Address Spoofing in getIP()",
"x_generator": {
"engine": "scooter"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-22201",
"datePublished": "2026-03-13T01:18:07.476Z",
"dateReserved": "2026-01-06T16:47:17.184Z",
"dateUpdated": "2026-03-13T16:09:19.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24910 (GCVE-0-2026-24910)
Vulnerability from cvelistv5 – Published: 2026-01-27 22:26 – Updated: 2026-01-28 21:19
VLAI
Summary
In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).
Severity
5.9 (Medium)
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24910",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T21:19:41.436423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T21:19:54.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bun",
"vendor": "Bun",
"versions": [
{
"lessThan": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T22:35:33.029Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack"
},
{
"url": "https://bun.com/blog/bun-v1.3.5"
},
{
"url": "https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-24910",
"datePublished": "2026-01-27T22:26:26.801Z",
"dateReserved": "2026-01-27T22:26:26.541Z",
"dateUpdated": "2026-01-28T21:19:54.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26927 (GCVE-0-2026-26927)
Vulnerability from cvelistv5 – Published: 2026-04-02 14:01 – Updated: 2026-04-02 14:19
VLAI
Title
URL (HTTP Origin) call location spoofing in Szafir SDK Web
Summary
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.
In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction.
This issue was fixed in version 0.0.17.4.
Severity
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/04/CVE-2026-26927 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | Szafir SDK Web |
Affected:
0 , < 0.0.17.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:19:08.706495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:19:19.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Szafir SDK Web",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "0.0.17.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Leszczy\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK Web\u003c/span\u003e is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\u003cbr\u003eIn \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK Web\u003c/span\u003e it is possible to change the URL (HTTP Origin) of the application call location. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK Web\u003c/span\u003e browser addon.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eadditional files and libraries from that website\u003c/span\u003e.\u003c/span\u003e When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebefore\u003c/span\u003e, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u0026nbsp;without any interaction.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 0.0.17.4.\u003cbr\u003e"
}
],
"value": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:01:39.075Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/04/CVE-2026-26927"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "URL (HTTP Origin) call location spoofing in Szafir SDK Web",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-26927",
"datePublished": "2026-04-02T14:01:39.075Z",
"dateReserved": "2026-02-16T09:01:03.142Z",
"dateUpdated": "2026-04-02T14:19:19.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.