3 matches found
CVE-2026-27978 Next.js: null origin can bypass Server Actions CSRF checks
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass...
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins
Summary CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters notably .. An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted...
PrivateGPT 安全漏洞
PrivateGPT is an AI project open-sourced by Zylon. A security vulnerability exists in PrivateGPT version 0.6.2 and earlier, which stems from improper cross-domain policy due to misuse of the parameter alloworigins in the file settings.yaml...