The product does not properly verify that the source of data or communication is valid.
556 vulnerabilities with CWE-346
CVE-2026-11178
MEDIUM
Google Chrome < 149.0.7827.53 - Insufficient Policy Enforcement in WebView
CVSS 4.3
CVE-2026-11176
MEDIUM
Google Chrome < 149.0.7827.53 - Cross-Origin Data Leak via Media Component
CVSS 6.5
CVE-2026-11161
MEDIUM
Google Chrome < 149.0.7827.53 - Cross-Origin Data Leak via DataTransfer
CVSS 4.3
CVE-2026-11133
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via Paint Policy Enforcement
CVSS 6.5
CVE-2026-11132
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via Paint Policy Enforcement
CVSS 6.5
CVE-2026-11084
MEDIUM
Google Chrome < 149.0.7827.53 - Cross-Origin Data Leak via Password Manager
CVSS 6.5
CVE-2026-11083
MEDIUM
Google Chrome < 149.0.7827.53 - Cross-Origin Data Leak via Password Manager
CVSS 6.5
CVE-2026-11081
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via Canvas
CVSS 6.5
CVE-2026-11048
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via Malicious Extension
CVSS 6.5
CVE-2026-11036
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via DOM Implementation
CVSS 6.5
CVE-2026-11032
MEDIUM
Google Chrome < 149.0.7827.53 - Cross-Origin Data Leak via Password Manager
CVSS 6.5
CVE-2026-11020
MEDIUM
Google Chrome < 149.0.7827.53 - Cross-Origin Data Leak via Crafted XML File
CVSS 6.5
CVE-2026-10996
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via Workers
CVSS 6.5
CVE-2026-10937
MEDIUM
Google Chrome < 149.0.7827.53 - Same Origin Policy Bypass via Passwords Component
CVSS 6.5
CVE-2026-6657
MEDIUM
CORS Origin Validation Bypass in jupyter-server
CVSS 6.1
CVE-2026-47265
HIGH
AIOHTTP vulnerable to cross-origin redirect with per-request cookies
CVSS 7.5
CVE-2026-34460
MEDIUM
NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping
CVSS 5.4
CVE-2026-44649
CRITICAL
SillyTavern: Authentication Bypass via SSO Header Injection
CVSS 9.8
CVE-2026-44698
HIGH
Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection
CVSS 8.3
CVE-2026-9989
MEDIUM
Google Chrome < 148.0.7778.216 - Same Origin Policy Bypass via Crafted Video File
CVSS 6.3
CVE-2026-10010
MEDIUM
Google Chrome < 148.0.7778.216 - Site Isolation Bypass via Crafted HTML Page
CVSS 5.0
CVE-2026-46685
MEDIUM
RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console
CVE-2026-45021
MEDIUM
Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
CVE-2026-44985
CRITICAL
Dozzle: Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpoints bypasses authentication
CVSS 9.6
CVE-2026-42901
CRITICAL
Microsoft Entra ID Elevation of Privilege Vulnerability
CVSS 10.0
Details
Vulnerabilities
556