Lucene search
K

136 matches found

EUVD
EUVD
added 2 days ago5 views

EUVD-2026-40432

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References3
CVE
CVE
added last week12 views

CVE-2026-54753

Summary (CVE-2026-54753) Nx's nx graph local HTTP server (in versions 17.0.4 through 22.7.2 and 23.0.0-beta.2) exposed an overly permissive CORS policy by returning Access-Control-Allow-Origin: * on every response. This enabled cross-origin access to sensitive server data, including the full proj...

5.9CVSS5.9AI score0.00812EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in CORS in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page...

6.5CVSS6.8AI score0.00831EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in COOP in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data through a crafted HTML page...

6.5CVSS6.6AI score0.00763EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/06/05 12:0 a.m.11 views

RockyLinux 10 : thunderbird (RLSA-2026:22325)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:22325 advisory. firefox: Incorrect boundary conditions in the JavaScript Engine: JIT component CVE-2026-8388 firefox: Other issue in the JavaScript Engine component...

9.8CVSS5.7AI score0.00605EPSS
Exploits0References39
ATTACKERKB
ATTACKERKB
added 2026/05/28 6:41 p.m.6 views

CVE-2026-46685

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFSCORSALLOWEDORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and...

6CVSS5.8AI score0.00108EPSS
Exploits0References2Affected Software1
GithubExploit
GithubExploit
added 2026/05/22 8:44 p.m.89 views

Exploit for Origin Validation Error in Langflow

CVE-2025-34291 — Langflow Origin Validation / CORS...

9.4CVSS7.5AI score0.7889EPSS
Exploits3
Github Security Blog
Github Security Blog
added 2026/05/20 3:38 p.m.10 views

Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

Summary The TTS generation endpoint sets Access-Control-Allow-Origin: as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials. Root Cause typescript //...

5.8AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/20 3:38 p.m.8 views

GHSA-M837-XVXR-VQWG Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

Summary The TTS generation endpoint sets Access-Control-Allow-Origin: as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials. Root Cause typescript //...

6.9CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/18 1:31 p.m.32 views

webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

Impact When webpack-dev-server is running on a non-HTTPS origin the default, cross-origin requests from malicious websites can load the dev server's JavaScript bundles via tags. The fix introduced in v5.2.1 CVE-2025-30359 relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these...

6.5CVSS6.5AI score0.00427EPSS
Exploits2References6Affected Software1
Snyk
Snyk
added 2026/05/09 12:10 a.m.10 views

Permissive Cross-domain Policy with Untrusted Domains

Overview @yoda.digital/gitlab-mcp-server is a GitLab MCP Server - A Model Context Protocol server for GitLab integration Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the SSE HTTP transport when USESSE=true is set, which lacks...

9.2CVSS5.8AI score0.00392EPSS
Exploits0References3
Microsoft CVE
Microsoft CVE
added 2026/05/07 2:0 p.m.9 views

Chromium: CVE-2026-7945 Insufficient validation of untrusted input in COOP

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

3.1CVSS5.8AI score0.002EPSS
Exploits0
CVE
CVE
added 2026/05/07 10:12 a.m.23 views

CVE-2026-28201

Open Notebook v1.8.1 is affected by CVE-2026-28201 due to improper input validation and a permissive default CORS policy. A remote attacker can trick a legitimate user into altering or deleting arbitrary database entries via a specially crafted URL, with data exfiltration possible depending on de...

8.7CVSS6AI score0.00144EPSS
Exploits0References1Affected Software1
RedHat Linux
RedHat Linux
added 2026/05/07 6:1 a.m.10 views

webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy

A flaw was found in WebKitGTK. Processing malicious web content can cause a cross-origin issue in the Navigation API due to improper input validation and result in a bypass of the same origin policy...

5.4CVSS6AI score0.00354EPSS
Exploits2References5
NVD
NVD
added 2026/05/06 7:16 p.m.6 views

CVE-2026-7968

Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

3.1CVSS0.00216EPSS
Exploits0References2
NVD
NVD
added 2026/05/06 7:16 p.m.4 views

CVE-2026-7945

Insufficient validation of untrusted input in COOP in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...

3.1CVSS0.002EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/05/06 6:12 p.m.7 views

CVE-2026-7968

Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

3.1CVSS5.8AI score0.00216EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/05/06 6:12 p.m.4 views

CVE-2026-7945

Insufficient validation of untrusted input in COOP in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...

3.1CVSS5.8AI score0.002EPSS
Exploits0
OSV
OSV
added 2026/05/05 10:20 p.m.4 views

GHSA-7WW3-XVF5-CXWM ciguard: Web UI is missing HTTP defence-in-depth headers

Summary ciguard's FastAPI Web UI src/ciguard/web/app.py does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy Medium, X-Frame-Options Medium, Sub-Resource-Integrity on /api/docs Medium, COOP / COEP / CORP Low, Permissions-Policy Low...

4.3CVSS5.8AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/05 10:20 p.m.7 views

ciguard: Web UI is missing HTTP defence-in-depth headers

Summary ciguard's FastAPI Web UI src/ciguard/web/app.py does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy Medium, X-Frame-Options Medium, Sub-Resource-Integrity on /api/docs Medium, COOP / COEP / CORP Low, Permissions-Policy Low...

5.8AI score
Exploits0References4Affected Software1
Rows per page
Query Builder