CWE-942Permissive Cross-domain Security Policy with Untrusted Domains

Abstraction: Variant · CVEs in our corpus: 85

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control	Title	Family	Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE	Risk	CVSS	EPSS	Published
`CVE-2022-31736`	2.0	9.8	0.0023	2022-12-22
`CVE-2022-26969`	2.0	9.8	0.0091	2022-12-26
`CVE-2026-22812`	2.0	8.8	0.0355	2026-01-12
`CVE-2024-25124`	1.9	9.4	0.0050	2024-02-21
`CVE-2026-28792`	1.9	9.6	0.0042	2026-03-12
`CVE-2026-30924`	1.9	9.6	0.0005	2026-03-19
`CVE-2026-34449`	1.9	9.6	0.0015	2026-03-31
`CVE-2021-34435`	1.8	8.8	0.0012	2021-09-01
`CVE-2023-38125`	1.8	8.8	0.0066	2024-05-03
`CVE-2024-37131`	1.8	7.5	0.0441	2024-06-13
`CVE-2024-11071`	1.8	8.8	0.0008	2025-04-07
`CVE-2026-1181`	1.8	9.0	0.0002	2026-01-19
`CVE-2026-34227`	1.8	8.8	0.0002	2026-03-31
`CVE-2024-41657`	1.7	8.1	0.0129	2024-08-20
`CVE-2023-23464`	1.6	8.1	0.0023	2023-02-15
`CVE-2023-46098`	1.6	8.0	0.0019	2023-11-14
`CVE-2024-41659`	1.6	8.1	0.0019	2024-08-20
`CVE-2025-43480`	1.6	8.1	0.0004	2025-11-04
`CVE-2025-13017`	1.6	8.1	0.0003	2025-11-11
`CVE-2025-13019`	1.6	8.1	0.0003	2025-11-11
`CVE-2026-32610`	1.6	8.1	0.0005	2026-03-18
`CVE-2026-33043`	1.6	8.1	0.0002	2026-03-20
`CVE-2026-33010`	1.6	8.1	0.0002	2026-03-20
`CVE-2026-41056`	1.6	8.1	0.0006	2026-04-21
`CVE-2022-47717`	1.5	7.5	0.0027	2023-02-01