Skip to main content

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

26 CVEs Avg CVSS 7.0 MITRE
3
CRITICAL
12
HIGH
10
MEDIUM
1
LOW
4
POC
0
KEV

Monthly

CVE-2026-41120 CRITICAL Act Now

Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Dell RCE Wyse Management Suite
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-33612 HIGH PATCH This Week

Cache poisoning in PowerDNS Recursor allows a malicious or compromised authoritative DNS server to inject forged records by returning a crafted zone that the resolver ingests through its ZoneToCache feature. Because the poisoned data lands in the shared recursor cache, all downstream clients can be served attacker-controlled answers, enabling traffic redirection and spoofing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (high) rating reflects high integrity impact with a scope change but high attack complexity.

Information Disclosure Suse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42960 MEDIUM PATCH This Month

DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.

Code Injection Suse Red Hat
NVD VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-44572 npm LOW PATCH GHSA Monitor

Cache poisoning in Next.js middleware redirect handling allows attackers to inject a malicious x-nextjs-data request header, causing middleware to replace the standard Location header with an internal x-nextjs-redirect header that browsers ignore. When deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request can poison the cached redirect, resulting in denial of service for that redirect path for all subsequent visitors until cache expiration. Affects Next.js versions 12.2.0-15.5.15 and 16.0.0-16.2.4; vendor-released patches available in 15.5.16 and 16.2.5.

Denial Of Service
NVD GitHub VulDB HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32162 HIGH PATCH Exploit Likely This Week

Local privilege escalation in Windows COM across Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows unauthenticated attackers with local access to achieve full system compromise (high confidentiality, integrity, and availability impact) by exploiting acceptance of untrusted data alongside trusted data. CVSS 8.4 reflects the severe impact of complete privilege escalation despite requiring local access. Vendor-released patch available with specific build n

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-35641 npm HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.

RCE Node.js
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-1642 MEDIUM PATCH This Month

NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.

Nginx Nginx Ingress Controller Nginx Open Source Nginx Instance Manager Nginx Gateway Fabric +3
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-48804 MEDIUM PATCH This Month

A security vulnerability in Acceptance of extraneous untrusted data with trusted data in Windows BitLocker (CVSS 6.8) that allows an unauthorized attacker. Remediation should follow standard vulnerability management procedures.

Microsoft Authentication Bypass Windows 10 1507 Windows 11 23h2 Windows 10 1607 +12
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-46339 MEDIUM POC PATCH This Month

A security vulnerability in FreshRSS (CVSS 4.3). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Debian Freshrss
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-20255 MEDIUM This Month

A vulnerability in client join services of Cisco Webex Meetings could allow an unauthenticated, remote attacker to manipulate cached HTTP responses within the meeting join service. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cisco Webex Meetings
NVD
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Dell RCE Wyse Management Suite
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cache poisoning in PowerDNS Recursor allows a malicious or compromised authoritative DNS server to inject forged records by returning a crafted zone that the resolver ingests through its ZoneToCache feature. Because the poisoned data lands in the shared recursor cache, all downstream clients can be served attacker-controlled answers, enabling traffic redirection and spoofing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (high) rating reflects high integrity impact with a scope change but high attack complexity.

Information Disclosure Suse
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.

Code Injection Suse Red Hat
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Cache poisoning in Next.js middleware redirect handling allows attackers to inject a malicious x-nextjs-data request header, causing middleware to replace the standard Location header with an internal x-nextjs-redirect header that browsers ignore. When deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request can poison the cached redirect, resulting in denial of service for that redirect path for all subsequent visitors until cache expiration. Affects Next.js versions 12.2.0-15.5.15 and 16.0.0-16.2.4; vendor-released patches available in 15.5.16 and 16.2.5.

Denial Of Service
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 8.4
HIGH PATCH Exploit Likely This Week

Local privilege escalation in Windows COM across Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows unauthenticated attackers with local access to achieve full system compromise (high confidentiality, integrity, and availability impact) by exploiting acceptance of untrusted data alongside trusted data. CVSS 8.4 reflects the severe impact of complete privilege escalation despite requiring local access. Vendor-released patch available with specific build n

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.

RCE Node.js
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.

Nginx Nginx Ingress Controller Nginx Open Source +5
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

A security vulnerability in Acceptance of extraneous untrusted data with trusted data in Windows BitLocker (CVSS 6.8) that allows an unauthorized attacker. Remediation should follow standard vulnerability management procedures.

Microsoft Authentication Bypass Windows 10 1507 +14
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

A security vulnerability in FreshRSS (CVSS 4.3). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Debian Freshrss
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

A vulnerability in client join services of Cisco Webex Meetings could allow an unauthenticated, remote attacker to manipulate cached HTTP responses within the meeting join service. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cisco Webex Meetings
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy