CWE-345

Insufficient Verification of Data Authenticity

Parent: CWE-693 - Protection Mechanism Failure

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

552 vulnerabilities with CWE-345
CVE-2026-35051 HIGH
Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth
CVE-2026-6498 MEDIUM
Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter
CVSS 5.3
CVE-2026-6986 LOW
Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification
CVSS 3.7
CVE-2026-6967 MEDIUM
Missing Delegated Metadata Validation in awslabs/tough
CVSS 5.9
CVE-2026-33471 CRITICAL
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
CVSS 9.6
CVE-2026-40487 HIGH
Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
CVSS 8.9
CVE-2026-40323 HIGH
SP1 V6 Recursion Circuit Row-Count Binding Gap
CVE-2026-3446 MEDIUM
Base64 decoding stops at first padded quad by default
CVE-2026-35659 MEDIUM
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery
CVSS 4.6
CVE-2026-40109 LOW
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
CVSS 3.1
CVE-2026-39411 MEDIUM
LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
CVSS 5.0
CVE-2026-39366 MEDIUM
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
CVSS 6.5
CVE-2026-39324 CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
CVSS 9.8
CVE-2026-3177 MEDIUM
Charitable for WordPress <= 1.8.9.7 - Donation Status Forgery via Missing Stripe Webhook Verification
CVSS 5.3
CVE-2026-35042 HIGH
fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
CVSS 7.5
CVE-2026-35039 CRITICAL
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
CVSS 9.1
CVE-2026-34778 MEDIUM
Electron: Service worker can spoof executeJavaScript IPC replies
CVSS 5.9
CVE-2026-34061 MEDIUM
nimiq/core-rs-albatross: Macro block proposal interlink bug
CVSS 4.9
CVE-2026-30603 MEDIUM
Qianniao QN-L23PA0904 v20250721.1640 - Privilege Escalation
CVSS 6.8
CVE-2026-33729 CRITICAL
OpenFGA has an Authorization Bypass through cached keys
CVSS 9.8
CVE-2026-4115 LOW
PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification
CVSS 3.7
CVE-2026-4541 LOW
janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification
CVSS 2.5
CVE-2026-33243 HIGH
barebox: FIT Signature Verification Bypass Vulnerability
CVSS 8.2
CVE-2026-33221 LOW
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
CVE-2026-33143 HIGH
OneUptime: WhatsApp Webhook Missing Signature Verification
CVSS 7.5
Details
Vulnerabilities 552
Links
MITRE CWE Entry Search this CWE With Exploits