CVE-2026-41056

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

CVE-2026-32610

Glances before 4.5.2 shipped a REST API with CORS allow_origins=["*"] and allow_credentials=True. When both are set, Starlette CORSMiddleware echoes the request Origin into Access-Control-Allow-Origin, allowing credentialed cross-origin requests to the Glances API. This can enable cross-site acce...

CVE-2026-25812

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism...

PT-2026-7158

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism...

CVE-2026-24435

The CVE concerns Shenzhen Tenda W30E V2 firmware versions up to and including 16.01.0.19(5037), which implement a permissive CORS policy on authenticated admin endpoints by setting Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true. This enables attacker-controlle...