Skip to main content

CWE-345

Insufficient Verification of Data Authenticity

448 CVEs Avg CVSS 6.9 MITRE
55
CRITICAL
182
HIGH
188
MEDIUM
23
LOW
81
POC
2
KEV

Monthly

CVE-2026-62215 MEDIUM PATCH This Month

Authentication bypass in OpenClaw before 2026.6.5 enables lower-trust network callers to forge A2UI actions that require higher authorization by submitting crafted HTTP Canvas responses through configured input paths. The flaw (CWE-345: Insufficient Verification of Data Authenticity) allows an attacker to subvert OpenClaw's trust hierarchy and execute privileged actions on downstream systems (SC:H/SI:H per CVSS 4.0), without any direct impact on the OpenClaw instance itself. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; the CVSS 4.0 score of 5.1 reflects significant real-world constraints from high attack complexity and required user interaction.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-44434 MEDIUM This Month

Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path network attacker to abruptly terminate any active QUIC connection by sending an all-zero packet. The root cause is that Quicly zero-initializes its four stateless reset token slots but never validates which slots hold legitimate peer-advertised tokens, causing the all-zero default to be accepted as a valid reset signal whenever the peer has advertised fewer than four tokens. No public exploit code or active exploitation has been identified at time of analysis; however, the attack is mechanically straightforward for any adversary already positioned on the network path.

Code Injection Quicly
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-53536 MEDIUM PATCH This Month

Cross-tenant step-file disclosure in Activepieces before 0.83.0 allows any authenticated user on a shared instance to retrieve a workflow step-file attachment belonging to a different tenant by exploiting two compounding defects in the `/v1/step-files/signed` download endpoint: a missing JWT audience check and an unguarded null fileId that causes PostgreSQL to return an arbitrary FLOW_STEP_FILE record. Access is strictly read-only and non-targeted - the attacker cannot choose which tenant's file is returned, as the result depends on PostgreSQL's internal scan order at query time. No public exploit has been identified and no active exploitation is listed in CISA KEV; the vulnerability is patched in version 0.83.0.

Information Disclosure PostgreSQL
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-48799 HIGH PATCH This Week

Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.

Information Disclosure Postiz App
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-11901 MEDIUM This Month

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.

WordPress Information Disclosure Wp Hotel Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54174 Go HIGH PATCH GHSA This Week

Integrity bypass in Chainguard's apko (and the shared logic in melange) allows a network attacker to swap the actual installed contents of an apk package while its signature check still passes, because apko validated only the control-section hash (.PKGINFO) against the signed APKINDEX and never verified the data-section hash. Anyone able to compromise a package mirror, poison a fetch cache, or MITM the download can therefore inject arbitrary files into images built with these tools. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
8.3
CVE-2026-49834 Go MEDIUM PATCH GHSA This Month

Threshold counting logic in sigstore-go's multi-log verification policy is bypassable by a single compromised transparency or CT log. When a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), the intended defense-in-depth - requiring N distinct log authorities to independently vouch for an artifact - fails because counts accumulate per-entry or per-validation-path rather than per-log-authority. An attacker controlling one compromised Rekor transparency log or CT log can forge multiple entries with distinct indices, or present multiple embedded SCTs across certificate chains, artificially satisfying an N-count threshold with a single compromised source. No public exploit has been identified at time of analysis, and EPSS data is not available in the provided intelligence.

Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-53961 MEDIUM PATCH This Month

Discourse's AWS SES bounce webhook endpoint (POST /webhooks/aws) validates Amazon SNS message signatures but omits TopicArn binding, allowing any AWS account holder to publish legitimately signed forged Bounce notifications that revoke a targeted Discourse user's email address. Versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 across all active release branches are affected when the SES integration is enabled. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and absence of Discourse-side authentication requirements make targeted abuse realistic for any motivated actor with an AWS account.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59930 PyPI MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-54496 Cargo CRITICAL PATCH GHSA Act Now

Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. No public exploit is identified and there is no evidence of exploitation before remediation, but the bug was live in consensus since NU5 (May 31, 2022) and was fixed via the NU6.2 hard fork on June 3, 2026.

Information Disclosure
NVD GitHub
CVSS 3.1
9.3
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Authentication bypass in OpenClaw before 2026.6.5 enables lower-trust network callers to forge A2UI actions that require higher authorization by submitting crafted HTTP Canvas responses through configured input paths. The flaw (CWE-345: Insufficient Verification of Data Authenticity) allows an attacker to subvert OpenClaw's trust hierarchy and execute privileged actions on downstream systems (SC:H/SI:H per CVSS 4.0), without any direct impact on the OpenClaw instance itself. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; the CVSS 4.0 score of 5.1 reflects significant real-world constraints from high attack complexity and required user interaction.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Stateless reset injection in Quicly, the IETF QUIC implementation embedded in the H2O HTTP server, allows an on-path network attacker to abruptly terminate any active QUIC connection by sending an all-zero packet. The root cause is that Quicly zero-initializes its four stateless reset token slots but never validates which slots hold legitimate peer-advertised tokens, causing the all-zero default to be accepted as a valid reset signal whenever the peer has advertised fewer than four tokens. No public exploit code or active exploitation has been identified at time of analysis; however, the attack is mechanically straightforward for any adversary already positioned on the network path.

Code Injection Quicly
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-tenant step-file disclosure in Activepieces before 0.83.0 allows any authenticated user on a shared instance to retrieve a workflow step-file attachment belonging to a different tenant by exploiting two compounding defects in the `/v1/step-files/signed` download endpoint: a missing JWT audience check and an unguarded null fileId that causes PostgreSQL to return an arbitrary FLOW_STEP_FILE record. Access is strictly read-only and non-targeted - the attacker cannot choose which tenant's file is returned, as the result depends on PostgreSQL's internal scan order at query time. No public exploit has been identified and no active exploitation is listed in CISA KEV; the vulnerability is patched in version 0.83.0.

Information Disclosure PostgreSQL
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.

Information Disclosure Postiz App
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.

WordPress Information Disclosure Wp Hotel Booking
NVD VulDB
CVSS 8.3
HIGH PATCH This Week

Integrity bypass in Chainguard's apko (and the shared logic in melange) allows a network attacker to swap the actual installed contents of an apk package while its signature check still passes, because apko validated only the control-section hash (.PKGINFO) against the signed APKINDEX and never verified the data-section hash. Anyone able to compromise a package mirror, poison a fetch cache, or MITM the download can therefore inject arbitrary files into images built with these tools. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 5.9
MEDIUM PATCH This Month

Threshold counting logic in sigstore-go's multi-log verification policy is bypassable by a single compromised transparency or CT log. When a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), the intended defense-in-depth - requiring N distinct log authorities to independently vouch for an artifact - fails because counts accumulate per-entry or per-validation-path rather than per-log-authority. An attacker controlling one compromised Rekor transparency log or CT log can forge multiple entries with distinct indices, or present multiple embedded SCTs across certificate chains, artificially satisfying an N-count threshold with a single compromised source. No public exploit has been identified at time of analysis, and EPSS data is not available in the provided intelligence.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Discourse's AWS SES bounce webhook endpoint (POST /webhooks/aws) validates Amazon SNS message signatures but omits TopicArn binding, allowing any AWS account holder to publish legitimately signed forged Bounce notifications that revoke a targeted Discourse user's email address. Versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 across all active release branches are affected when the SES integration is enabled. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and absence of Discourse-side authentication requirements make targeted abuse realistic for any motivated actor with an AWS account.

Information Disclosure Discourse
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. No public exploit is identified and there is no evidence of exploitation before remediation, but the bug was live in consensus since NU5 (May 31, 2022) and was fixed via the NU6.2 hard fork on June 3, 2026.

Information Disclosure
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy