6 matches found
CVE-2026-52842
Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated...
CVE-2026-52843
Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...
CVE-2026-52842 Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-Origin Policy bypass
Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated...
CVE-2026-52842
Lightpanda (headless browser) prior to version 0.3.1 incorrectly searched for the character @ across the entire URL when computing origin, rather than only the authority component. This caused a URL like http://attacker.com/@victim.com/ to be fetched from attacker.com but treated as http://victim...
CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode
Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...
CVE-2026-52843
What is affected: Lightpanda’s headless browser. Issue: Prior to 0.2.9, fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials mode (omit, same-origin, include) and XMLHttpRequest.withCredentials. Impact: An attacker-controlled origin in a ...