Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-441

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

Parent: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

80 vulnerabilities with CWE-441

CVE-2026-7381 ANALYSIS PENDING

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting

CVE-2026-41365 MEDIUM

OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History

CVE-2026-6993 MEDIUM

go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy

CVE-2026-42043 HIGH

Axios <1.15.1, <0.31.1 - Auth Bypass

CVE-2026-23751 CRITICAL

Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting

CVE-2026-39906 HIGH

Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting

CVE-2026-39961 MEDIUM

Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource

CVE-2026-27124 MEDIUM

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

CVE-2026-33768 MEDIUM

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

CVE-2026-0107 HIGH

gmc_ddr_handle_mba_mr_req - Privilege Escalation

CVE-2026-30225 MEDIUM

OliveTin <3000.11.1 - Privilege Escalation

CVE-2026-0021 HIGH

AppInfoBase.java - Privilege Escalation

CVE-2026-0013 HIGH

DocumentsUI - Privilege Escalation

CVE-2026-0008 HIGH

Android - Privilege Escalation

CVE-2026-27624 HIGH

Coturn - Auth Bypass

CVE-2026-24471 CRITICAL

continuity - SSRF

CVE-2026-24470 HIGH

Skipper <0.24.0 - Privilege Escalation

CVE-2025-62718 CRITICAL

Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF

CVE-2025-48646 HIGH

ActivityStarter.java - Privilege Escalation

CVE-2025-48579 HIGH

MediaProvider.java - Privilege Escalation

CVE-2025-64125 CRITICAL

Nuvation Energy nCloud VPN Service - Info Disclosure

CVE-2025-64123 CRITICAL

Nuvation Energy MSC <2.5.1 - SSRF

CVE-2025-68944 MEDIUM

Gitea <1.22.2 - Info Disclosure

CVE-2025-68667 CRITICAL

Conduit <0.10.10 - SSRF

CVE-2025-11393 HIGH

Runtimes-Inventory-Rhel8-Operator - Privilege Escalation

Page 1 of 4 Next

Details

Vulnerabilities 80

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy