The product does not properly verify that the source of data or communication is valid.
View on MITREAn attacker can access any functionality that is inadvertently accessible to the source.
No mitigation information available for this CWE.
No detection method information available for this CWE.
This Android application will remove a user account when it receives an intent to do so:
This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
A call into native code can then be initiated by passing parameters within the URL:
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
A call into native code can then be initiated by passing parameters within the URL:
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
A call into native code can then be initiated by passing parameters within the URL:
DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
View DetailsBrowser does not set Mark-of-the-Web (MotW) for a downloaded .EXE file if the name is close to the maximum path length, preventing recording of a zone identifier in the filename
View DetailsZip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file
View DetailsZip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file
View DetailsDNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
View DetailsLDAP service does not verify if a particular attribute was set by the LDAP server
View Detailsproduct does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
View Detailsproduct records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
View DetailsCWE-346: Origin Validation Error is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly verify that the source of data or communication is valid.
If exploited, CWE-346 (Origin Validation Error) it can compromise Access Control and Other, leading to outcomes such as Gain Privileges or Assume Identity and Varies by Context.
CWE-346 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-346, including CVE-2000-1218, CVE-2018-6074, CVE-2025-0411, CVE-2025-46652 and CVE-2005-0877. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-346 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.