Common Weakness Enumeration

CWE-138

Discouraged

Improper Neutralization of Special Elements

Abstraction: Class · Status: Draft

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

24 vulnerabilities reference this CWE, most recent first.

GHSA-MQ4M-G352-XM82

Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2024-04-04 07:21
VLAI
Details

An issue has been discovered in GitLab affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-138",
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-01T11:15:40Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project.",
  "id": "GHSA-mq4m-g352-xm82",
  "modified": "2024-04-04T07:21:09Z",
  "published": "2023-09-01T12:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1279"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1889230"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/395437"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q43X-79JR-CQ98

Vulnerability from github – Published: 2025-07-03 16:59 – Updated: 2025-07-03 18:50
VLAI
Summary
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
Details

A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element such as:

<img name="currentScript" src="https://malicious.example.com">

it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the tag, leading to unexpected behavior or failure to load the script path correctly.

This issue arises because in some browser environments, named DOM elements (e.g., name="currentScript") become properties on the global document object.

Impact

An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron.

Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3

The issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now falls back safely to the last tag on the page.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tarteaucitronjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-138"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T16:59:09Z",
    "nvd_published_at": "2025-07-03T17:15:39Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual `\u003cscript\u003e` element. If an attacker injected an HTML element such as:\n\n```\n\u003cimg name=\"currentScript\" src=\"https://malicious.example.com\"\u003e\n```\n\nit could clobber the document.currentScript property. This causes the script to resolve incorrectly to an \u003cimg\u003e element instead of the \u003cscript\u003e tag, leading to unexpected behavior or failure to load the script path correctly.\n\nThis issue arises because in some browser environments, named DOM elements (e.g., name=\"currentScript\") become properties on the global document object.\n\n## Impact\nAn attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron.\n\n## Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3\nThe issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now falls back safely to the last \u003cscript\u003e tag on the page.",
  "id": "GHSA-q43x-79jr-cq98",
  "modified": "2025-07-03T18:50:09Z",
  "published": "2025-07-03T16:59:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48939"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AmauriC/tarteaucitron.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript"
}

GHSA-QF54-2QX8-3VCV

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2025-11-04 00:30
VLAI
Details

Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17554.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-138"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:50Z",
    "severity": "HIGH"
  },
  "details": "Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17554.",
  "id": "GHSA-qf54-2qx8-3vcv",
  "modified": "2025-11-04T00:30:48Z",
  "published": "2024-05-03T03:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42117"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMWF-M9C5-3JVC

Vulnerability from github – Published: 2026-04-14 23:27 – Updated: 2026-04-14 23:27
VLAI
Summary
Microsoft Security Advisory CVE-2026-32178 – .NET Spoofing Vulnerability
Details

Executive Summary:

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in System.Net.Mail where specially crafted data allows an unauthorized attacker to perform a spoofing attack over the network.

Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/12345

CVSS Details

  • Version: 3.1
  • Severity: High
  • Score: 7.5
  • Vector: 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
  • Weakness: CWE-138: Improper Neutralization of Special Elements

Affected Platforms

  • Platforms: All
  • Architectures: All

Affected Packages

The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below

.NET 8

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.linux-arm >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.linux-arm64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.linux-musl-arm >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.linux-musl-arm64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.linux-musl-x64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.linux-x64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.osx-arm64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.osx-x64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.win-arm >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.win-arm64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.win-x64 >= 8.0.0, <= 8.0.25 8.0.26
Microsoft.NetCore.App.Runtime.win-x86 >= 8.0.0, <= 8.0.25 8.0.26

.NET 9

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.linux-arm >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.linux-arm64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.linux-musl-arm >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.linux-musl-arm64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.linux-musl-x64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.linux-x64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.osx-arm64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.osx-x64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.win-arm >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.win-arm64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.win-x64 >= 9.0.0, <= 9.0.14 9.0.15
Microsoft.NetCore.App.Runtime.win-x86 >= 9.0.0, <= 9.0.14 9.0.15

.NET 10

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.linux-arm >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.linux-arm64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.linux-musl-arm >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.linux-musl-arm64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.linux-musl-x64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.linux-x64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.osx-arm64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.osx-x64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.win-arm >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.win-arm64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.win-x64 >= 10.0.0, <= 10.0.5 10.0.6
Microsoft.NetCore.App.Runtime.win-x86 >= 10.0.0, <= 10.0.5 10.0.6

Advisory FAQ

How do I know if I am affected?

If using a package listed in affected packages, you're exposed to the vulnerability.

How do I fix the issue?

  1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
  2. If your application references the vulnerable package, update the package reference to the patched version. You can list the versions you have installed by running the dotnet --info command.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.

Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

External Links

CVE-2026-32178

Acknowledgements

Ludvig Pedersen

Revisions

V1.0 (April 14, 2026): Advisory published.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.osx-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.osx-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.5"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.osx-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.osx-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.14"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-musl-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.osx-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.osx-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.25"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32178"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-138"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:27:52Z",
    "nvd_published_at": "2026-04-14T18:17:20Z",
    "severity": "LOW"
  },
  "details": "## Executive Summary: \n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA vulnerability exists in System.Net.Mail where specially crafted data allows an unauthorized attacker to perform a spoofing attack over the network.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/12345\n\n## CVSS Details\n\n- **Version:** 3.1\n- **Severity:** High\n- **Score:** 7.5\n- **Vector:** 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C\n- **Weakness:** CWE-138: Improper Neutralization of Special Elements\n\n## Affected Platforms\n\n- **Platforms:** All\n- **Architectures:** All\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below\n\n\n### \u003ca name=\".NET 8\"\u003e\u003c/a\u003e.NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm)               | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64)           | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm)     | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64) | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64)     | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64)               | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64)               | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64)                   | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)                   | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)               | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)                   | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)                   | \u003e= 8.0.0, \u003c= 8.0.25 | 8.0.26\n\n\n### \u003ca name=\".NET 9\"\u003e\u003c/a\u003e.NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm)               | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64)           | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm)     | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64) | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64)     | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64)               | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64)               | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64)                   | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)                   | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)               | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)                   | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)                   | \u003e= 9.0.0, \u003c= 9.0.14 | 9.0.15\n\n### \u003ca name=\".NET 10\"\u003e\u003c/a\u003e.NET 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm)               | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64)           | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm)     | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64) | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64)     | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64)               | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64)               | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64)                   | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)                   | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)               | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)                   | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)                   | \u003e= 10.0.0, \u003c= 10.0.5 | 10.0.6\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf using a package listed in [affected packages](#affected-packages), you\u0027re exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET  SDKs.\n2. If your application references the vulnerable package, update the package reference to the patched version. You can list the versions you have installed by running the `dotnet --info` command.\n\nOnce you have installed the updated runtime or SDK, restart your apps for the update to take effect.\n\nAdditionally, if you\u0027ve deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2026-32178]( https://www.cve.org/CVERecord?id=CVE-2026-32178)\n\n### Acknowledgements\n\nLudvig Pedersen\n\n### Revisions\n\nV1.0 (April 14, 2026): Advisory published.",
  "id": "GHSA-vmwf-m9c5-3jvc",
  "modified": "2026-04-14T23:27:52Z",
  "published": "2026-04-14T23:27:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/runtime/security/advisories/GHSA-vmwf-m9c5-3jvc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32178"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/announcements/issues/12345"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dotnet/runtime"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microsoft Security Advisory CVE-2026-32178 \u2013 .NET Spoofing Vulnerability "
}

Mitigation
Implementation

Developers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have special meaning to the component with which you are communicating.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation

Use and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

CAPEC-105: HTTP Request Splitting

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-34: HTTP Response Splitting

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.

See CanPrecede relationships for possible consequences.