CVE-2026-10056

🗓️ 29 May 2026 08:04:59Reported by NXType

cve🔗 web.nvd.nist.gov👁 13 Views🌐 WEB

CORS misconfiguration in Nx Witness VMS enables session token theft in Standard mode; upgrade to 6.1.2 or set credentials false.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-10056	29 May 202608:04	–	attackerkb
Circl	CVE-2026-10056	31 May 202602:00	–	circl
CNNVD	Network Optix Nx Witness VMS 安全漏洞	29 May 202600:00	–	cnnvd
Cvelist	CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request	29 May 202608:04	–	cvelist
EUVD	EUVD-2026-33262	29 May 202608:04	–	euvd
NVD	CVE-2026-10056	29 May 202609:16	–	nvd
Positive Technologies	PT-2026-44762	29 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-10056	5 Jun 202619:19	–	redhatcve
Vulnrichment	CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request	29 May 202608:04	–	vulnrichment

[
  {
    "vendor": "Network Optix",
    "product": "Nx Witness VMS",
    "platforms": [
      "Linux",
      "Windows",
      "MacOS"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "6.1.2",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
support	www.support.networkoptix.com/hc/en-us/articles/39254208939159-How-to-Enable-CORS-Validation

Parameter	Position	Path	Description	CWE
supportedOrigins	request body	/rest/v2/system/settings	CORS misconfiguration allows an unauthenticated remote attacker to steal the session token and perform Administrator Account Takeover via a malicious cross-origin page; mitigation is to set Access-Control-Allow-Credentials to false with body {"supportedOrigins": "null"} or upgrade/security level.	CWE-942

17 Jun 2026 10:11Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

EPSS0.00264

SSVC

CWE-942