PT-2026-44762

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account...

GHSA-6XCP-7MPR-M7WM Open WebUI has a CORS misconfiguration and session validation issue

GitHub Security Lab GHSL Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175 The GitHub Security Lab team has identified potential security vulnerabilities in open-webui. We are committed to working with you to help resolve these issues. In this report you will find everything you need...

CVE-2026-0397 Information disclosure via CORS misconfiguration

When the internal webserver is enabled default is disabled, an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration o...

mcp-memory-service 安全漏洞

mcp-memory-service is a backend service developed by Henry’s individual developer, designed to provide persistent shared memory for AI agents. Versions of mcp-memory-service prior to 10.25.1 contained security vulnerabilities. These vulnerabilities stemmed from improper CORS configuration and...

GHSA-H8VW-PH9R-XPCH qui CORS Misconfiguration: Arbitrary Origins Trusted

Summary The application implements an HTML5 cross-origin resource sharing CORS policy that allows access from any domain. While the application is typically deployed within a trusted local network, successful exploitation of this weakness does not require any direct access to the instance by the...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via a combination with permissive CORS configuration. An attacker can access, write, and delete arbitrary files on a developer's machine by enticing the victim to visit a malicious website while the development serve...

CVE-2026-28792

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration Access-Control-Allow-Origin: with the path traversal vulnerability previously reported to enable a browser-based drive-by attack. A remote attacker can enumerate the...

Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover

Summary A Stored Cross-Site Scripting XSS vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an attacker can steal administrator credentials from localStorage, leading to full account...

CVE-2026-27579

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

CVE-2026-27579 CollabPlatform : CORS Misconfiguration Allows Arbitrary Origin With Credentials Leading to Authenticated Account Data Exposure

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

Bugbounty-Scanner-Suite

Bugbounty Scanner Suite Herramienta todo-en-uno para automati...

CVE-2025-55462

Eramba Community/Enterprise Editions v3.26.0 are affected by a CORS misconfiguration that reflects an attacker-controlled Origin header in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true. This enables authenticated cross-origin requests from malicious sites to endpoints su...

CVE-2025-62523

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing CORS misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper...

CVE-2025-62523 PILOS Misconfigured the Access-Control-Allow-Origin Header

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing CORS misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper...

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses. Technical Details By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header...

GHSA-9329-MXXW-QWF8 Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses. Technical Details By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header...

PT-2025-33735 · Unknown · Nginx Proxy Manager

Name of the Vulnerable Software and Affected Versions: Nginx Proxy Manager version 2.12.3 Description: A Cross-Origin Resource Sharing CORS misconfiguration allows unauthorized domains to access sensitive data, specifically JSON Web Tokens JWT, due to improper validation of the Origin header. Thi...

CVE-2025-27909 IBM Concert Software cross-origin resource sharing

IBM Concert Software 1.0.0 through 1.1.0 uses cross-origin resource sharing CORS which could allow an attacker to carry out privileged actions as the domain name is not being limited to only trusted domains...

Origin Validation Error

Overview prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest. Affected versions of this package are vulnerable to Origin...

CVE-2024-8024

A CORS misconfiguration vulnerability exists in netease-youdao/qanything version 1.4.1. This vulnerability allows an attacker to bypass the Same-Origin Policy, potentially leading to sensitive information exposure. Properly implementing a restrictive CORS policy is crucial to prevent such securit...