255 matches found
CVE-2026-52843
What is affected: Lightpanda’s headless browser. Issue: Prior to 0.2.9, fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials mode (omit, same-origin, include) and XMLHttpRequest.withCredentials. Impact: An attacker-controlled origin in a ...
CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode
Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...
CVE-2026-58656
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: , allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token...
Linux Distros Unpatched Vulnerability : CVE-2026-59153
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its...
CVE-2026-59153
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...
DEBIAN-CVE-2026-59153
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...
CVE-2026-59153
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...
CVE-2026-59153
Anki’s local HTTP server vulnerability (CVE-2026-59153) affects Anki prior to version 25.09.3. The embedded local server serving media/files did not sufficiently block cross-origin requests from other origins, enabling potential side-effecting requests from malicious sites. The CVSS-based data in...
CVE-2026-59153 Anki's local HTTP server does not sufficiently validate requests
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting...
CVE-2026-12084 IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...
CVE-2026-58169
Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...
CVE-2026-58169
Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...
CVE-2026-57957
Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...
EUVD-2026-40142
Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...
CVE-2026-57957 Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint
Papermark through 0.22.0 contains a cross-origin resource sharing CORS misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with...
PYSEC-2026-418 MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...
CVE-2026-46608
CVE-2026-46608 concerns Glances XML-RPC server (glances -s) where a multi-origin CORS configuration intended to restrict browser access silently falls back to a wildcard when cors_origins has two or more entries. The issue arises from server-side logic that sets Access-Control-Allow-Origin to the...
CVE-2026-54290
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...
PT-2026-56267
Name of the Vulnerable Software and Affected Versions Anki versions prior to 25.09.3 Description Anki launches a local HTTP server to serve media files and web pages for its interface. The server does not sufficiently block requests from other origins, allowing a malicious website to trigger...
PT-2026-49737
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description The CORS Middleware reflects the request Origin and sends Access-Control-Allow-Credentials: true when credentials: true is enabled and no explicit origin is defined defaulting to the wildcard. This...