Lucene search
K

80 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:34 a.m.13 views

CVE-2026-6657

A flaw was found in jupyter-server. A remote attacker can bypass Cross-Origin Resource Sharing CORS origin validation when the alloworiginpat configuration is used. This vulnerability allows malicious domains to pass validation against patterns intended for trusted domains. This could lead to...

8.8CVSS5.7AI score0.00197EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/06/05 3:16 a.m.13 views

SUSE CVE-2026-6657

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

8.8CVSS6AI score0.00197EPSS
Exploits1References3
NVD
NVD
added 2026/06/03 4:16 p.m.11 views

CVE-2026-6657

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

8.8CVSS0.00197EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/03 3:6 p.m.46 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

6.1CVSS0.00197EPSS
Exploits1References1
OSV
OSV
added 2026/06/03 3:6 p.m.2 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

6.1CVSS6.1AI score0.00197EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/06/03 3:6 p.m.12 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

6.1CVSS6AI score0.00197EPSS
Exploits1References1
CVE
CVE
added 2026/06/03 3:6 p.m.30 views

CVE-2026-6657

CVE-2026-6657 affects jupyter-server versions 1.12.0–2.17.0. Root cause: use of re.match() for Origin validation in allow_origin_pat, allowing attacker-controlled domains to bypass CORS checks (e.g., trusted.example.com.evil.com) across CORS headers, WebSocket, referer validation, and login redir...

8.8CVSS6.6AI score0.00197EPSS
Exploits1References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-6657

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is...

8.8CVSS6.6AI score0.00197EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/18 2:19 p.m.9 views

CVE-2026-40110

A flaw was found in Jupyter Server. The Origin header validation, which uses Python's re.match function, does not correctly validate incoming origins against allowed patterns. This allows a remote attacker to bypass Cross-Origin Resource Sharing CORS restrictions by crafting a malicious domain th...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References7
OSV
OSV
added 2026/05/05 9:29 p.m.1 views

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.9AI score0.00333EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/05/05 9:29 p.m.44 views

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS0.00333EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/05 9:29 p.m.7 views

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/05/05 9:29 p.m.12 views

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.8AI score0.00333EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/05 9:29 p.m.12 views

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.8AI score0.00333EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/05 4:54 p.m.9 views

Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)

Jupyter Server uses re.match to validate the Origin header against the alloworiginpat configuration. Since re.match only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/05/05 4:54 p.m.10 views

EUVD-2026-27510

Jupyter Server has a CORS Origin Validation Bypass via re.match in alloworiginpat from huntr...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/05 4:54 p.m.9 views

Regular Expression without Anchors

Overview Affected versions of this package are vulnerable to Regular Expression without Anchors through the alloworiginpat checks in websocket.py, login.py. An attacker can bypass CORS, WebSocket origin checks, and login redirect validation by supplying an Origin or Referer value that matches the...

8.2CVSS5.7AI score0.00333EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/21 10:37 p.m.4 views

CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...

7.1CVSS5.9AI score0.00132EPSS
Exploits1References2
CVE
CVE
added 2026/04/21 10:37 p.m.25 views

CVE-2026-41057

CVE-2026-41057 affects WWBN AVideo (versions 29.0 and below). The issue arises from two incomplete CORS mitigations: (1) in plugin/API/router.php (lines 4–8) the server unconditionally reflects arbitrary Origin before application code runs, and (2) get.json.php and set.json.php call allowOrigin(t...

7.1CVSS5.9AI score0.00132EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.9 views

PT-2026-34202

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This...

8.1CVSS5.9AI score0.00335EPSS
Exploits1References5
Rows per page
Query Builder