CWE-345: Insufficient Verification of Data Authenticity — known CVE vulnerabilities
CVEs classified under CWE-345 (Insufficient Verification of Data Authenticity), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-35051 — CVSS 10.0 (critical): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass…
CVE-2014-8165 — CVSS 10.0 (critical): scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to…
CVE-2026-50195 — CVSS 9.9 (critical): containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint…
CVE-2022-36130 — CVSS 9.9 (critical): HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct…
CVE-2026-50214 — CVSS 9.8 (critical): The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of…
CVE-2025-15385 — CVSS 9.8 (critical): Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows Authentication Bypass.This issue…
CVE-2025-8038 — CVSS 9.8 (critical): Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR…
CVE-2025-1945 — CVSS 9.8 (critical): picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified…
CVE-2024-45410 — CVSS 9.8 (critical): Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as…
CVE-2024-23601 — CVSS 9.8 (critical): A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted…
CVE-2024-1554 — CVSS 9.8 (critical): The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may…
CVE-2023-36139 — CVSS 9.8 (critical): In PHPJabbers Cleaning Business Software 1.0, lack of verification when changing an email address and/or password (on the Profile Page)…
CVE-2023-36134 — CVSS 9.8 (critical): In PHP Jabbers Class Scheduling System 1.0, lack of verification when changing an email address and/or password (on the Profile Page)…
CVE-2023-25178 — CVSS 9.8 (critical): Controller may be loaded with malicious firmware which could enable remote code execution. See Honeywell Security Notification for…
CVE-2023-2987 — CVSS 9.8 (critical): The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on…
CVE-2023-27748 — CVSS 9.8 (critical): BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authenticity check for uploaded firmware. This can allow attackers to upload…
CVE-2021-4226 — CVSS 9.8 (critical): RSFirewall tries to identify the original IP address by looking at different HTTP headers. A bypass is possible due to the way it is…
CVE-2022-30264 — CVSS 9.8 (critical): The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol…
CVE-2022-30315 — CVSS 9.8 (critical): Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to…
CVE-2022-29958 — CVSS 9.8 (critical): JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data integrity. They utilize the unauthenticated CMPLink/TCP protocol for engineering…
CVE-2022-31801 — CVSS 9.8 (critical): An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full…
CVE-2022-31800 — CVSS 9.8 (critical): An unauthenticated, remote attacker could upload malicious logic to devices based on ProConOS/ProConOS eCLR in order to gain full control…
CVE-2022-31813 — CVSS 9.8 (critical): Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header…
CVE-2020-14115 — CVSS 9.8 (critical): A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data…
CVE-2021-29655 — CVSS 9.8 (critical): Pexip Infinity Connect before 1.8.0 omits certain provisioning authenticity checks. Thus, untrusted code may execute.
CVE-2020-7878 — CVSS 9.8 (critical): An arbitrary file download and execution vulnerability was found in the VideoOffice X2.9 and earlier versions (CVE-2020-7878). This issue…
CVE-2021-37421 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
CVE-2020-28900 — CVSS 9.8 (critical): Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of…
CVE-2020-26547 — CVSS 9.8 (critical): Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker…
CVE-2020-7487 — CVSS 9.8 (critical): A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists which could allow the attacker to execute malicious code on…
CVE-2019-20530 — CVSS 9.8 (critical): An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), P(9.0), and Q(10.0) software. Arbitrary code execution is possible…
CVE-2016-1000004 — CVSS 9.8 (critical): Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue…
CVE-2019-5613 — CVSS 9.8 (critical): In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be…
CVE-2019-2289 — CVSS 9.8 (critical): Lack of integrity check allows MODEM to accept any NAS messages which can result into authentication bypass of NAS in Snapdragon Auto…
CVE-2019-18835 — CVSS 9.8 (critical): Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite…
CVE-2019-6695 — CVSS 9.8 (critical): Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, 6.0.6 and below may allow an attacker…
CVE-2019-11235 — CVSS 9.8 (critical): FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group…
CVE-2015-3956 — CVSS 9.8 (critical): Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System…
CVE-2026-27510 — CVSS 9.6 (critical): Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable…
CVE-2026-56073 — CVSS 9.4 (critical): Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email…
CVE-2026-25921 — CVSS 9.3 (critical): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to…
CVE-2025-66016: CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key…
CVE-2015-4674 — CVSS 9.3 (critical): The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of…
CVE-2014-4936 — CVSS 9.3 (critical): The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer…
CVE-2026-44087 — CVSS 9.1 (critical): Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an…
CVE-2026-43534 — CVSS 9.1 (critical): OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system…