CVE-2026-33010 mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The...

Permissive Cross-domain Policy with Untrusted Domains

Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the default CORS configuration in the REST API web server, which sets alloworigins to and allowcredentials to True. An...

Permissive Cross-domain Policy with Untrusted Domains

Overview mcp-memory-service is an Open-source persistent memory for AI agent pipelines and Claude. REST API + semantic search + knowledge graph + autonomous consolidation. Self-host, zero cloud cost. Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted...

GHSA-G9RG-8VQ5-MPWM mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft

Summary When the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The wildcard Access-Control-Allow-Origin: header permits any website to read API responses...

CVE-2026-27579

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

CVE-2025-41010 Cross-origin resource sharing (CORS) in Hiberus Sintra

Incorrect Cross-Origin Resource Sharing CORS configuration in Hiberus Sintra. Cross-Origin Resource Sharing CORS allows browsers to make cross-domain requests in a controlled manner. This request has an “Origin” header that identifies the domain making the initial request and defines the protocol...

CVE-2025-51605

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make...

CVE-2025-51605

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make...

PT-2025-34373 · Shopizer · Shopizer

Name of the Vulnerable Software and Affected Versions: Shopizer version 3.2.7 Description: The server’s Cross-Origin Resource Sharing CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling...

CVE-2025-51605

CVE-2025-51605 affects Shopizer 3.2.7. The server’s CORS implementation reflects the Origin header verbatim into Access-Control-Allow-Origin and enables Access-Control-Allow-Credentials: true, allowing authenticated cross-origin requests and read of sensitive responses. Supported by multiple sour...

CVE-2025-51605

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make...

tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their...