CWE-345

591 vulnerabilities with CWE-345

CVE-2026-44523 CRITICAL

Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery

CVSS 10.0

CVE-2026-44308 MEDIUM

Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

CVE-2026-45055 HIGH

CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header

CVSS 8.1

CVE-2026-44999 MEDIUM

OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events

CVSS 5.3

CVE-2026-42575 HIGH

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

CVSS 7.5

CVE-2026-41432 HIGH

New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

CVSS 7.1

CVE-2026-42206 MEDIUM

Roadiz OpenID Connect nonce generated but never validated — ID token replay attack

CVE-2026-31835 MEDIUM

Vaultwarden WebAuthn credential metadata tampered before signature verification

CVSS 5.4

CVE-2026-43534 CRITICAL

OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events

CVSS 9.1

CVE-2026-7689 LOW

Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification

CVSS 3.7

CVE-2026-7611 LOW

TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do_upgrade_cameo_dev data authenticity

CVSS 3.7

CVE-2026-7606 LOW

TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware data authenticity

CVSS 3.7

CVE-2026-35051 CRITICAL

Traefik: ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass auth

CVSS 10.0

CVE-2026-6498 MEDIUM

Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter

CVSS 5.3

CVE-2026-6986 LOW

Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification

CVSS 3.7

CVE-2026-6967 MEDIUM

Missing Delegated Metadata Validation in awslabs/tough

CVSS 5.9

CVE-2026-33471 CRITICAL

nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation

CVSS 9.6

CVE-2026-40487 HIGH

Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS

CVSS 8.9

CVE-2026-40323 HIGH

SP1 V6 Recursion Circuit Row-Count Binding Gap

CVSS 7.5

CVE-2026-3446 MEDIUM

Base64 decoding stops at first padded quad by default

CVE-2026-35659 MEDIUM

OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery

CVSS 4.6

CVE-2026-40109 LOW

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

CVSS 3.1

CVE-2026-39411 MEDIUM

LobeHub <2.1.48 webapi Routes - Authentication Bypass

CVSS 5.0

CVE-2026-39366 MEDIUM

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

CVSS 6.5

CVE-2026-39324 CRITICAL

Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

CVSS 9.8