78 matches found
CVE-2026-6657
A flaw was found in jupyter-server. A remote attacker can bypass Cross-Origin Resource Sharing CORS origin validation when the alloworiginpat configuration is used. This vulnerability allows malicious domains to pass validation against patterns intended for trusted domains. This could lead to...
SUSE CVE-2026-6657
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...
CVE-2026-6657
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...
CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...
CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...
CVE-2026-6657
CVE-2026-6657 affects jupyter-server 1.12.0–2.17.0. Root cause: using re.match() to validate the Origin header in allow_origin_pat, causing attacker-controlled domains like trusted.example.com.evil.com to bypass CORS origin checks. Impact stated across CORS headers, WebSocket connections, referer...
Linux Distros Unpatched Vulnerability : CVE-2026-6657
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is...
CVE-2026-40110
A flaw was found in Jupyter Server. The Origin header validation, which uses Python's re.match function, does not correctly validate incoming origins against allowed patterns. This allows a remote attacker to bypass Cross-Origin Resource Sharing CORS restrictions by crafting a malicious domain th...
CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...
CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...
CVE-2026-40110
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...
CVE-2026-40110
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...
EUVD-2026-27510
Jupyter Server has a CORS Origin Validation Bypass via re.match in alloworiginpat from huntr...
Regular Expression without Anchors
Overview Affected versions of this package are vulnerable to Regular Expression without Anchors through the alloworiginpat checks in websocket.py, login.py. An attacker can bypass CORS, WebSocket origin checks, and login redirect validation by supplying an Origin or Referer value that matches the...
Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)
Jupyter Server uses re.match to validate the Origin header against the alloworiginpat configuration. Since re.match only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only...
CVE-2026-41057
CVE-2026-41057 affects WWBN AVideo (versions 29.0 and below). The issue arises from two incomplete CORS mitigations: (1) in plugin/API/router.php (lines 4–8) the server unconditionally reflects arbitrary Origin before application code runs, and (2) get.json.php and set.json.php call allowOrigin(t...
CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...
PT-2026-34202
Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This...
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
Summary The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and 2...
CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...