9126 matches found
Langflow AI <= 1.6.9 - CORS Misconfiguration
Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint. id:...
EUVD-2026-43176
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...
CVE-2026-59180
Apprise before v1.11.0 vulnerable: HTTP-based notification plugins and HTTP loaders (apprise/attachment/http.py, apprise/config/http.py) follow redirects and resend configured auth headers and query parameters. This can leak secrets (Authorization headers, bearer tokens, service keys) to a compro...
CVE-2026-59180 Apprise forwards configured auth headers across cross-origin HTTP redirects
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py...
EUVD-2026-34014
Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering...
CVE-2026-59148
The CVE covers Mockoon prior to version 9.7.0, where the admin API was mounted on the same Express listener as user mock routes with default-enabled, unauthenticated access and permissive CORS (Access-Control-Allow-Origin: ). This allowed any unauthenticated client on the mock server port to: rea...
CVE-2026-56458
HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...
CVE-2026-56458
HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...
EUVD-2026-42552
HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...
CVE-2026-56458
Technical details about CVE-2026-56458 are not publicly available in the provided documents. No affected versions, root cause specifics, exploits, or mitigations are disclosed here. Monitor for updates from vendors or CVE pages.
CVE-2026-56458 HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains
HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...
CVE-2026-57111
Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...
EUVD-2026-42529
Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...
CVE-2026-57111
Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...
CVE-2026-57111
CVE-2026-57111 describes a permissive CORS configuration in Apache Helix REST (helix-rest; org.apache.helix.rest.server.filters.CORSFilter) up to version 2.0.0. The filter returns Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true, and reflects arbitrary preflight values, a...
CVE-2026-57111 Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...
CVE-2026-59723
The CVE-2026-59723 vulnerability affects the Cline Hub dashboard (the /browser WebSocket endpoint). Before version 3.0.30, the dashboard server did not validate the Origin header for WebSocket connections, and when ROOM_SECRET is unset on local 127.0.0.1, isAuthorizedBrowserRequest() could be abu...
CVE-2026-59723 Cline: Cross-Origin WebSocket Hijacking in Cline Hub Dashboard (`/browser` endpoint)
Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOMSECRET is unset for loc...
CVE-2026-59804
Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...
CVE-2026-59804 Midscene Bridge Server - Session Hijack via Unauthenticated WebSocket
Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...