158 matches found
CVE-2026-49202
Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing CORS rules that allow cross-site theft...
CVE-2026-7581
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function onprepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out...
CVE-2026-7581 alexta69 MeTube CORS Policy main.py on_prepare cross-domain policy
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function onprepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out...
CVE-2026-7581 alexta69 MeTube CORS Policy main.py on_prepare cross-domain policy
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function onprepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out...
PT-2026-36322
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out...
CVE-2026-6662 ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack...
CVE-2026-6313
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...
CVE-2026-6313
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...
CVE-2026-6313
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...
CVE-2026-6313
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to Flask-Cors
Summary Flask-Cors is used by IBM Cloud Pak for Data System to handle Cross-Origin Resource Sharing CORS for web applications. Multiple vulnerabilities affect Flask-Cors path matching functionality. CVE-2024-6866 involves case-insensitive path matching that can allow unauthorized origins to acces...
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Summary A malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScript snippet via the API. The injected snippet executes in Electron'...
CVE-2026-34449
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScri...
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScri...
CVE-2026-34449
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScri...
EUVD-2026-17676
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScri...
CVE-2026-0397
When the internal webserver is enabled default is disabled, an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration o...
CVE-2026-32617 AnythingLLM Permissable CORS policy
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the...
TinaCMS 安全漏洞
TinaCMS is an open-source headless CMS for Markdown, MDX, and JSON developed by Tina. Versions of TinaCMS prior to 2.1.8 contained security vulnerabilities. These vulnerabilities stemmed from the TinaCMS CLI development server having a lax CORS policy configured. Combined with path traversal...
CVE-2026-24435
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 implement an insecure Cross-Origin Resource Sharing CORS policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: in combination with Access-Control-Allow-Credentials: true, allowing...