CVE-2026-36604

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account...

CVE-2026-9739

Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...

CVE-2026-34331

Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally...

Chromium: CVE-2026-7968 Insufficient validation of untrusted input in CORS

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

open-notebook 安全漏洞

Open-Notebook is a privacy-oriented multi-model AI note-taking tool developed by Luis Novo. Version 1.8.1 of Open-Notebook contains a security vulnerability. This vulnerability stems from improper input validation and overly permissive default CORS configurations. It could allow remote attackers ...

CVE-2026-41057

CVE-2026-41057 affects WWBN AVideo (versions 29.0 and below). The issue arises from two incomplete CORS mitigations: (1) in plugin/API/router.php (lines 4–8) the server unconditionally reflects arbitrary Origin before application code runs, and (2) get.json.php and set.json.php call allowOrigin(t...

PraisonAI 信息泄露漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained an information leakage vulnerability. This vulnerability stemmed from the AgentOS deployment platform not implementing authentication, and the default CORS...

CVE-2026-37977

CVE-2026-37977 affects Keycloak’s User-Managed Access (UMA) token endpoint. A flaw in CORS handling arises when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before JWT validation, allowing an attacker-controlled origin to be reflected in responses...

CVE-2026-33533

A flaw was found in Glances, an open-source system monitoring tool. The Glances XML-RPC server, when activated, sends a wildcard Access-Control-Allow-Origin header and does not validate the Content-Type header. This allows a remote attacker to craft a malicious webpage that can issue a Cross-Orig...

CVE-2026-34227

Sliver is affected by an insecure CORS and unauthenticated MCP interface prior to version 1.7.4. The vulnerability allows an attacker to gain unintended control over C2 sessions/beacons through a malicious link, with potential data exfiltration (e.g., SSH keys, ntds.dit) or infrastructure impact....

PT-2026-29264

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to...

PT-2026-29377

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description A malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting a permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true...

EUVD-2025-209072

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

CVE-2026-32617

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the...

CVE-2026-27897

Vociferous (offline speech-to-text) contains an unauthenticated path traversal vulnerability in the export_file API (src/api/system.py) prior to version 4.4.2. An attacker can submit a JSON payload with a crafted filename and content, exploit directory traversal (../) to write arbitrary data to l...

PT-2026-7329

Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing CORS is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedd...

A Defender-Attacker-Defender Model for Optimizing the Resilience of Hospital Networks to Cyberattacks

Considering the increasing frequency of cyberattacks affecting multiple hospitals simultaneously, improving resilience at a network level is essential. Various countermeasures exist to improve resilience against cyberattacks, such as deploying controls that strengthen IT infrastructures to limit...

CVE-2021-33330

Liferay Portal 7.2.0 through 7.3.2, and Liferay DXP 7.2 before fix pack 9, allows access to Cross-origin resource sharing CORS protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the...

CVE-2019-18381

Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cross origin resource sharing CORS vulnerability, which is a type of issue that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served...