2777 matches found
CVE-2026-61736
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...
CVE-2026-61736
LightRAG vulnerability CVE-2026-61736 stems from a CORS misconfiguration prior to version 1.5.4: CORS_ORIGINS is set to '*' and allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist all origins for credentialed cross-origin requests. ...
CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation
open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with alloworigins= and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests...
CVE-2026-61426
PrasionAI prior to 1.7.3 uses insecure defaults: it binds to all interfaces with no API key and permissive CORS, allowing unauthenticated access. Attacks can read agent instructions/system prompts via GET /api/agents or invoke /api/chat via POST without auth. No explicit remediation details are p...
CVE-2026-59148 Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...
CVE-2026-54753
A flaw was found in Nx, a monorepo solution for managing multiple projects. The local HTTP server, started by the nx graph command, incorrectly sent an Access-Control-Allow-Origin: header in its responses. This misconfiguration allows a remote attacker to read sensitive project information, such ...
CVE-2026-57111 Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...
CVE-2026-59804
Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...
CVE-2026-10708 Insufficiently Protected Credentials
This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...
CVE-2026-55438
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
EUVD-2026-42151
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
CVE-2026-55438
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...
CVE-2026-55438
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...
PT-2026-56455
Name of the Vulnerable Software and Affected Versions Adalo affected versions not specified Description This issue allows large-scale data harvesting without the need for app-specific secrets. A single request to a minimal leaderboard component can return user records that include emails, UUIDs,...
PT-2026-56082
Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The subdomain-based workspace app proxy allows a bypass of the same-owner Cross-Origin Resource Sharing CO...
CVE-2025-71381
Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...
CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...
CVE-2026-56277
Flowise (pre-3.1.2) exposes a security flaw in its text-to-speech (TTS) endpoint. The endpoint at packages/server/src/controllers/text-to-speech/index.ts sets Access-Control-Allow-Origin to a hardcoded wildcard (*), bypassing the server’s configured CORS policy and enabling cross-origin requests ...
CVE-2025-71381 Hono - Vary Header Injection in CORS Middleware
Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...
CVE-2026-12084
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...