Lucene search
K

2753 matches found

NVD
NVD
added yesterday3 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS0.00216EPSS
Exploits0References7
EUVD
EUVD
added yesterday4 views

EUVD-2026-42151

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS6AI score0.00216EPSS
Exploits0References7
CVE
CVE
added yesterday11 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

6.8CVSS6AI score0.00216EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56082

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The subdomain-based workspace app proxy allows a bypass of the same-owner Cross-Origin Resource Sharing CO...

5.8CVSS6AI score0.00216EPSS
Exploits0References10
NVD
NVD
added 2026/06/30 11:16 p.m.5 views

CVE-2025-71381

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS0.0028EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 10:8 p.m.9 views

CVE-2026-56277

Flowise (pre-3.1.2) exposes a security flaw in its text-to-speech (TTS) endpoint. The endpoint at packages/server/src/controllers/text-to-speech/index.ts sets Access-Control-Allow-Origin to a hardcoded wildcard (*), bypassing the server’s configured CORS policy and enabling cross-origin requests ...

6.9CVSS5.8AI score0.00136EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.23 views

CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS0.00136EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.21 views

CVE-2025-71381 Hono - Vary Header Injection in CORS Middleware

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS0.0028EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/30 7:39 p.m.5 views

CVE-2026-12084

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...

5.4CVSS5.8AI score0.00162EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53967

Name of the Vulnerable Software and Affected Versions IBM DevOps Deploy versions 8.1 through 8.1.2.6 IBM DevOps Deploy versions 8.2 through 8.2.1.0 Description Cross-Origin Resource Sharing CORS, a mechanism that allows restricted resources on a web page to be requested from another domain, is...

7.5CVSS5.9AI score0.00162EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/29 5:23 p.m.36 views

CVE-2026-57957 Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint

Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...

4.7CVSS0.0025EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/26 2:52 p.m.4 views

EUVD-2026-39677

Unauthenticated Backdoor in Enable CORS = 2.0.3 versions...

7.4CVSS5.8AI score0.00236EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 2:52 p.m.32 views

CVE-2026-54833 WordPress Enable CORS plugin <= 2.0.3 - Backdoor vulnerability

Unauthenticated Backdoor in Enable CORS = 2.0.3 versions...

7.4CVSS0.00236EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 2:52 p.m.17 views

CVE-2026-54833

CVE-2026-54833 concerns the WordPress Enable CORS plugin

7.4CVSS5.8AI score0.00236EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 7:16 p.m.9 views

CVE-2026-46608

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin:...

7.4CVSS0.00401EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/06/25 6:5 p.m.4 views

CVE-2026-46608 Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin:...

7.4CVSS5.8AI score0.00409EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/25 6:5 p.m.39 views

CVE-2026-46608 Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin:...

7.4CVSS0.00401EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/06/25 5:40 p.m.7 views

Important: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.13 Images Security Update

New images are available for Red Hat build of Keycloak 26.4.13 and Red Hat build of Keycloak 26.4.13 Operator, running on OpenShift Container Platform Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Ha...

8.8CVSS5.9AI score0.00519EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 2026/06/25 5:36 p.m.4 views

keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

5.3CVSS5.8AI score0.00253EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/23 12:12 p.m.6 views

EUVD-2026-38429

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References2
Rows per page
Query Builder