Lucene search
K

255 matches found

Cvelist
Cvelist
added yesterday5 views

CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode

Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...

9.3CVSS0.00033EPSS
Exploits0References4
CVE
CVE
added yesterday5 views

CVE-2026-52843

What is affected: Lightpanda’s headless browser. Issue: Prior to 0.2.9, fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials mode (omit, same-origin, include) and XMLHttpRequest.withCredentials. Impact: An attacker-controlled origin in a ...

9.3CVSS6.1AI score0.00033EPSS
Exploits0References4
NVD
NVD
added 2026/07/08 2:17 p.m.8 views

CVE-2026-58656

Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: , allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token...

8.7CVSS0.00271EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/07/08 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-59153

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its...

2.1CVSS6.1AI score0.00181EPSS
Exploits0References2
OSV
OSV
added 2026/07/07 10:16 p.m.6 views

DEBIAN-CVE-2026-59153

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...

2.1CVSS6AI score0.00181EPSS
Exploits0References1
NVD
NVD
added 2026/07/07 10:16 p.m.12 views

CVE-2026-59153

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...

2.1CVSS0.00181EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/07/07 9:11 p.m.6 views

CVE-2026-59153

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...

2.1CVSS6AI score0.00181EPSS
Exploits0
CVE
CVE
added 2026/07/07 9:11 p.m.8 views

CVE-2026-59153

Anki’s local HTTP server vulnerability (CVE-2026-59153) affects Anki prior to version 25.09.3. The embedded local server serving media/files did not sufficiently block cross-origin requests from other origins, enabling potential side-effecting requests from malicious sites. The CVSS-based data in...

2.1CVSS6AI score0.00181EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 9:11 p.m.6 views

CVE-2026-59153 Anki's local HTTP server does not sufficiently validate requests

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...

2.1CVSS6AI score0.00181EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/30 7:39 p.m.46 views

CVE-2026-12084 IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...

5.4CVSS0.00162EPSS
Exploits0References1
NVD
NVD
added 2026/06/30 5:16 p.m.19 views

CVE-2026-58169

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS0.00286EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/06/30 3:52 p.m.7 views

CVE-2026-58169

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS6.4AI score0.00286EPSS
Exploits0References8
NVD
NVD
added 2026/06/29 6:16 p.m.12 views

CVE-2026-57957

Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...

4.7CVSS0.0025EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/29 5:23 p.m.8 views

EUVD-2026-40142

Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...

4.7CVSS6AI score0.0025EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 5:23 p.m.4 views

CVE-2026-57957 Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint

Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...

2.3CVSS6.1AI score0.0025EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-418 MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS7.7AI score0.00371EPSS
Exploits1References6
CVE
CVE
added 2026/06/25 6:5 p.m.34 views

CVE-2026-46608

CVE-2026-46608 concerns Glances XML-RPC server (glances -s) where a multi-origin CORS configuration intended to restrict browser access silently falls back to a wildcard when cors_origins has two or more entries. The issue arises from server-side logic that sets Access-Control-Allow-Origin to the...

7.4CVSS5.9AI score0.00409EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/22 5:15 p.m.4 views

CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

7.1CVSS5.9AI score0.00248EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.7 views

PT-2026-56267

Name of the Vulnerable Software and Affected Versions Anki versions prior to 25.09.3 Description Anki launches a local HTTP server to serve media files and web pages for its interface. The server does not sufficiently block requests from other origins, allowing a malicious website to trigger...

8.7CVSS6.1AI score0.00181EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.21 views

PT-2026-49737

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description The CORS Middleware reflects the request Origin and sends Access-Control-Allow-Credentials: true when credentials: true is enabled and no explicit origin is defined defaulting to the wildcard. This...

7.1CVSS5.9AI score0.00248EPSS
Exploits0References4
Rows per page
Query Builder