Lucene search
+L

2777 matches found

nvd
nvd
added 2 days ago6 views

CVE-2026-61736

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...

9.3CVSS0.00305EPSS
Exploits0References6
cve
cve
added 2 days ago9 views

CVE-2026-61736

LightRAG vulnerability CVE-2026-61736 stems from a CORS misconfiguration prior to version 1.5.4: CORS_ORIGINS is set to '*' and allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist all origins for credentialed cross-origin requests. ...

9.3CVSS6.1AI score0.00305EPSS
Exploits0References6
cvelist
cvelist
added 2 days ago32 views

CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with alloworigins= and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests...

9CVSS0.00264EPSS
Exploits1References2
cve
cve
added 6 days ago20 views

CVE-2026-61426

PrasionAI prior to 1.7.3 uses insecure defaults: it binds to all interfaces with no API key and permissive CORS, allowing unauthenticated access. Attacks can read agent instructions/system prompts via GET /api/agents or invoke /api/chat via POST without auth. No explicit remediation details are p...

8.8CVSS6.1AI score0.00322EPSS
Exploits0References2
osv
osv
added 2026/07/09 6:27 p.m.2 views

CVE-2026-59148 Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS6.2AI score0.00173EPSS
Exploits0References7
redhatcve
redhatcve
added 2026/07/09 9:22 a.m.6 views

CVE-2026-54753

A flaw was found in Nx, a monorepo solution for managing multiple projects. The local HTTP server, started by the nx graph command, incorrectly sent an Access-Control-Allow-Origin: header in its responses. This misconfiguration allows a remote attacker to read sensitive project information, such ...

5.9CVSS6.1AI score0.00812EPSS
Exploits0References5
cvelist
cvelist
added 2026/07/09 7:9 a.m.34 views

CVE-2026-57111 Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin

Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...

0.00269EPSS
Exploits0References1
nvd
nvd
added 2026/07/08 8:16 p.m.7 views

CVE-2026-59804

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...

7.6CVSS0.00213EPSS
Exploits0References4
cvelist
cvelist
added 2026/07/08 2:5 p.m.35 views

CVE-2026-10708 Insufficiently Protected Credentials

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...

0.00158EPSS
Exploits0References1
nvd
nvd
added 2026/07/08 1:16 a.m.7 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS0.00222EPSS
Exploits0References7
euvd
euvd
added 2026/07/08 12:31 a.m.6 views

EUVD-2026-42151

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS6AI score0.00222EPSS
Exploits0References7
cve
cve
added 2026/07/08 12:31 a.m.14 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

6.8CVSS6AI score0.00222EPSS
Exploits0References7Affected Software1
attackerkb
attackerkb
added 2026/07/08 12:31 a.m.6 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

5.8CVSS6AI score0.00222EPSS
Exploits0References8Affected Software1
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.5 views

PT-2026-56455

Name of the Vulnerable Software and Affected Versions Adalo affected versions not specified Description This issue allows large-scale data harvesting without the need for app-specific secrets. A single request to a minimal leaderboard component can return user records that include emails, UUIDs,...

7.5CVSS6.1AI score0.00158EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.9 views

PT-2026-56082

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The subdomain-based workspace app proxy allows a bypass of the same-owner Cross-Origin Resource Sharing CO...

5.8CVSS6AI score0.00222EPSS
Exploits0References10
nvd
nvd
added 2026/06/30 11:16 p.m.5 views

CVE-2025-71381

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS0.0028EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/30 10:8 p.m.24 views

CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS0.00136EPSS
Exploits0References2
cve
cve
added 2026/06/30 10:8 p.m.12 views

CVE-2026-56277

Flowise (pre-3.1.2) exposes a security flaw in its text-to-speech (TTS) endpoint. The endpoint at packages/server/src/controllers/text-to-speech/index.ts sets Access-Control-Allow-Origin to a hardcoded wildcard (*), bypassing the server’s configured CORS policy and enabling cross-origin requests ...

6.9CVSS5.8AI score0.00136EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/06/30 10:8 p.m.24 views

CVE-2025-71381 Hono - Vary Header Injection in CORS Middleware

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS0.0028EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/30 7:39 p.m.6 views

CVE-2026-12084

IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...

5.4CVSS5.8AI score0.00162EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder