Lucene search
K

6 matches found

NVD
NVD
added 4 hours ago3 views

CVE-2026-52842

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated...

9.3CVSS0.00033EPSS
Exploits0References4
NVD
NVD
added 4 hours ago3 views

CVE-2026-52843

Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...

9.3CVSS0.00033EPSS
Exploits0References4
Cvelist
Cvelist
added 5 hours ago6 views

CVE-2026-52842 Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-Origin Policy bypass

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated...

9.3CVSS0.00033EPSS
Exploits0References4
CVE
CVE
added 5 hours ago9 views

CVE-2026-52842

Lightpanda (headless browser) prior to version 0.3.1 incorrectly searched for the character @ across the entire URL when computing origin, rather than only the authority component. This caused a URL like http://attacker.com/@victim.com/ to be fetched from attacker.com but treated as http://victim...

9.3CVSS6.1AI score0.00033EPSS
Exploits0References4
Cvelist
Cvelist
added 5 hours ago4 views

CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode

Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...

9.3CVSS0.00033EPSS
Exploits0References4
CVE
CVE
added 5 hours ago5 views

CVE-2026-52843

What is affected: Lightpanda’s headless browser. Issue: Prior to 0.2.9, fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials mode (omit, same-origin, include) and XMLHttpRequest.withCredentials. Impact: An attacker-controlled origin in a ...

9.3CVSS6.1AI score0.00033EPSS
Exploits0References4
Rows per page
Query Builder