CVE-2026-39363

CVE-2026-39363 affects Vite Dev Server. The WebSocket-based fetchModule RPC can be invoked without an Origin header, bypassing HTTP path access checks and enabling arbitrary file reads via file:// URLs combined with ?raw or ?inline. This occurs in Vite versions 6.0.0 up to before 6.4.2, 7.3.2, an...

CVE-2026-39363 Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...

CVE-2026-39363

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...

GHSA-P9FF-H696-F583 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...

GHSA-5V8V-XVJV-57X7 Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

PT-2026-30768

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5 Description Vite, a frontend tooling framework for JavaScript, had a flaw where the server.fs check was not enforced for the fetchModule method exposed in the Vite dev server’s WebSocket. If ...

MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)

Summary Hardcoded Wildcard CORS Access-Control-Allow-Origin: - https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.javaL289 -...

SUSE CVE-2026-33252

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

GHSA-W3HV-X4FP-6H6J @grackle-ai/server has Missing WebSocket Origin Header Validation

Impact The WebSocket upgrade handler in the server validates authentication API key token or session cookie but does not check the Origin header. A malicious webpage on a different origin could initiate a WebSocket connection to ws://localhost:3000/ws if it can leverage the user's session cookie...

EUVD-2026-14643

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

MCP Go SDK 跨站请求伪造漏洞

MCP Go SDK is an open-source development toolkit for the Model Context Protocol. Versions of MCP Go SDK prior to 1.4.1 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from Streamable HTTP transmissions that did not validate the Origin header and did not specify t...

CVE-2026-33043

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

CVE-2026-32610 Glances's Default CORS Configuration Allows Cross-Origin Credential Theft

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddlewa...

Linux Distros Unpatched Vulnerability : CVE-2026-32610

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration...

Missing Origin Validation in WebSockets

Overview next is a react framework. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets in the internal dev endpoint when the Origin header is set to null. An attacker can interact with internal development websocket traffic by connecting from...

GHSA-XP2M-98X8-RPJ6 SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure

Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Summary SiYuan's WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep...

PT-2026-26170

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier Description SiYuan, a personal knowledge management system, has a flaw in its WebSocket endpoint '/ws' that permits unauthenticated connections when specific URL parameters ar...

TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS

Summary The TinaCMS CLI dev server combines a permissive CORS configuration Access-Control-Allow-Origin: with the path traversal vulnerability previously reported to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary...