Lucene search
+L

2787 matches found

Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-9103 Unauthenticated Superuser Token Issuance via Auto-Login Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/autologin endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTOLOGIN configuration is enabl...

9.8CVSS0.00411EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago9 views

EUVD-2026-45258

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/autologin endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTOLOGIN configuration is enabl...

9.8CVSS5.5AI score0.00411EPSS
Exploits0References1
CVE
CVE
added 2 days ago18 views

CVE-2026-9103

CVE-2026-9103 affects Langflow OSS 1.0.0–1.10.0. The root cause is improper authentication in the /api/v1/login/auto_login endpoint, which issues long‑lived superuser tokens when AUTO_LOGIN is enabled (default). Combined with permissive CORS, this can expose tokens to unintended origins and enabl...

9.8CVSS5.5AI score0.00411EPSS
Exploits0References1
CVE
CVE
added 2 days ago28 views

CVE-2026-49215

The CVE-2026-49215 issue affects symfony/ux-live-component in Symfony UX. The vulnerability stems from isLiveComponentRequest() gating #[LiveAction] based on Accept: application/vnd.live-component+html, a CORS-safelisted header that can be set cross-origin without preflight, allowing forged cross...

2.1CVSS5.3AI score0.00179EPSS
Exploits0References4
NVD
NVD
added 2 days ago7 views

CVE-2026-62387

The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...

7.1CVSS0.00259EPSS
Exploits0References2
CVE
CVE
added 2 days ago17 views

CVE-2026-62387

CVE-2026-62387 affects Grav’s API plugin (getgrav/grav-plugin-api) prior to 1.0.0-rc.16. The vulnerability arises from a default CORS setting of Access-Control-Allow-Origin: * on all responses, including authenticated endpoints and preflight (OPTIONS). The plugin accepts credentials via Authoriza...

7.1CVSS6.1AI score0.00259EPSS
Exploits0References2
OSV
OSV
added 2 days ago4 views

CVE-2026-62387 Grav < 1.0.0-rc.16 CORS Misconfiguration via API Plugin

The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...

7.1CVSS5.4AI score0.00259EPSS
Exploits0References5
NVD
NVD
added 4 days ago7 views

CVE-2026-61736

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...

9.3CVSS0.00305EPSS
Exploits0References6
CVE
CVE
added 4 days ago10 views

CVE-2026-61736

LightRAG vulnerability CVE-2026-61736 stems from a CORS misconfiguration prior to version 1.5.4: CORS_ORIGINS is set to '*' and allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist all origins for credentialed cross-origin requests. ...

9.3CVSS6.1AI score0.00305EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with alloworigins= and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests...

9CVSS0.00281EPSS
Exploits1References2
CVE
CVE
added 2026/07/11 1:1 p.m.21 views

CVE-2026-61426

PrasionAI prior to 1.7.3 uses insecure defaults: it binds to all interfaces with no API key and permissive CORS, allowing unauthenticated access. Attacks can read agent instructions/system prompts via GET /api/agents or invoke /api/chat via POST without auth. No explicit remediation details are p...

8.8CVSS6.1AI score0.00322EPSS
Exploits0References2
OSV
OSV
added 2026/07/09 6:27 p.m.3 views

CVE-2026-59148 Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS6.2AI score0.00173EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/07/09 9:22 a.m.6 views

CVE-2026-54753

A flaw was found in Nx, a monorepo solution for managing multiple projects. The local HTTP server, started by the nx graph command, incorrectly sent an Access-Control-Allow-Origin: header in its responses. This misconfiguration allows a remote attacker to read sensitive project information, such ...

5.9CVSS6.1AI score0.00812EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/09 7:9 a.m.35 views

CVE-2026-57111 Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin

Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...

0.00269EPSS
Exploits0References1
NVD
NVD
added 2026/07/08 8:16 p.m.7 views

CVE-2026-59804

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...

7.6CVSS0.00213EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/08 2:5 p.m.37 views

CVE-2026-10708 Insufficiently Protected Credentials

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...

0.00158EPSS
Exploits0References1
NVD
NVD
added 2026/07/08 1:16 a.m.7 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS0.00222EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/08 12:31 a.m.6 views

EUVD-2026-42151

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS6AI score0.00222EPSS
Exploits0References7
CVE
CVE
added 2026/07/08 12:31 a.m.14 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

6.8CVSS6AI score0.00222EPSS
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/08 12:31 a.m.6 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

5.8CVSS6AI score0.00222EPSS
Exploits0References8Affected Software1
Rows per page
Query Builder