Lucene search
K

2746 matches found

NVD
NVD
added yesterday4 views

CVE-2025-71381

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS
Exploits0References2
CVE
CVE
added yesterday5 views

CVE-2026-56277

Flowise (pre-3.1.2) exposes a security flaw in its text-to-speech (TTS) endpoint. The endpoint at packages/server/src/controllers/text-to-speech/index.ts sets Access-Control-Allow-Origin to a hardcoded wildcard (*), bypassing the server’s configured CORS policy and enabling cross-origin requests ...

6.9CVSS5.8AI score
Exploits0References2
Cvelist
Cvelist
added yesterday16 views

CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS
Exploits0References2
Cvelist
Cvelist
added yesterday15 views

CVE-2025-71381 Hono - Vary Header Injection in CORS Middleware

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-57957 Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint

Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...

4.7CVSS0.0025EPSS
Exploits0References3
CVE
CVE
added 5 days ago14 views

CVE-2026-54833

CVE-2026-54833 concerns the WordPress Enable CORS plugin

7.4CVSS5.8AI score0.00236EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-54833 WordPress Enable CORS plugin <= 2.0.3 - Backdoor vulnerability

Unauthenticated Backdoor in Enable CORS = 2.0.3 versions...

7.4CVSS0.00236EPSS
Exploits0References1
EUVD
EUVD
added 5 days ago4 views

EUVD-2026-39677

Unauthenticated Backdoor in Enable CORS = 2.0.3 versions...

7.4CVSS5.8AI score0.00236EPSS
Exploits0References1
NVD
NVD
added 6 days ago9 views

CVE-2026-46608

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin:...

7.4CVSS0.00401EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-46608 Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin:...

7.4CVSS0.00401EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 6 days ago7 views

Important: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.13 Images Security Update

New images are available for Red Hat build of Keycloak 26.4.13 and Red Hat build of Keycloak 26.4.13 Operator, running on OpenShift Container Platform Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Ha...

8.8CVSS5.9AI score0.00495EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 6 days ago4 views

keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

5.3CVSS5.8AI score0.00253EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/23 12:12 p.m.6 views

EUVD-2026-38429

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/22 9:27 p.m.4 views

Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)

Summary The Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: whenever corsorigins contains more than one entry. An operator who configur...

7.4CVSS5.9AI score0.00409EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 5:15 p.m.4 views

CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

7.1CVSS5.9AI score0.00248EPSS
Exploits0References2Affected Software1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.5 views

Astra Linux – Vulnerability in Firefox

Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS using DNS rebinding. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1...

8.1CVSS7.7AI score0.0042EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Ceph

A flaw was discovered in the Red Hat Ceph Storage RadosGW Ceph Object Gateway in versions before 14.2.21. The vulnerability relates to the injection of HTTP headers via the CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file causes a header injectio...

6.5CVSS6.5AI score0.01612EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/19 12:31 a.m.8 views

EUVD-2026-37960

PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: headers, combined with Starlette's...

8.6CVSS5.8AI score0.00504EPSS
Exploits0References3
CVE
CVE
added 2026/06/18 10:12 p.m.17 views

CVE-2026-56076

PrajionAI CVE-2026-56076 affects PraisonAI before 1.5.128. The vulnerability is a cross-origin agent execution via the AGUI endpoint (/agui): the endpoint lacks authentication and returns a wildcard CORS header (Access-Control-Allow-Origin: *). Combined with Starlette’s Content-Type-agnostic JSON...

8.6CVSS5.8AI score0.00504EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/06/18 9:25 a.m.4 views

WordPress Enable CORS plugin <= 2.0.3 - Backdoor vulnerability

Backdoor vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Enable CORS versions = 2.0.3...

7.4CVSS5.8AI score0.00236EPSS
Exploits0Affected Software1
Rows per page
Query Builder