CVE-2026-49202

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing CORS rules that allow cross-site theft...

CVE-2026-49202

Technical details are not publicly available in the provided documents; monitor for updates.

Langflow AI <= 1.6.9 - CORS Misconfiguration

Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint. id:...

PT-2026-46153

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing CORS rules that allow cross-site theft...

CVE-2026-36604

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

Network Optix Nx Witness VMS 安全漏洞

Network Optix Nx Witness VMS is a video management system developed by the American company Network Optix. Versions of Network Optix Nx Witness VMS prior to version 6.1.2 contained security vulnerabilities. These vulnerabilities were caused by incorrect CORS configurations in the REST API, which...

Nocturne Memory 访问控制错误漏洞

Nocturne Memory is an AI long-term memory server developed by Niwato. Versions prior to Nocturne Memory 2.4.1 contained an access control vulnerability. This vulnerability occurred when the APITOKEN was not set or was empty, allowing the BearerTokenAuthMiddleware to bypass identity verification f...

Chromium: CVE-2026-8576 Inappropriate implementation in CORS

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-8576

An inappropriate implementation flaw was found in the CORS component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=496231853...

EUVD-2026-30396

Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...

PT-2026-41105

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 148.0.7778.168 Google Chrome on ChromeOS versions prior to 148.0.7778.168 Description An inappropriate implementation in Cross-Origin Resource Sharing CORS, a mechanism that allows restricted resources ...

Cleanuparr 访问控制错误漏洞

Cleanuparr is an automated tool developed by Cleanuparr OpenSource, designed to clean up invalid files in the download queue. Versions of Cleanuparr prior to 2.9.10 contained a access control vulnerability. This vulnerability stemmed from the global CORS policy, which reflected the Origin of each...

CVE-2026-7968

An insufficient validation of untrusted input flaw was found in the CORS component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=497432281...

CVE-2026-28201

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration i...

CVE-2026-28201 SurrealDB Injection on Open Notebook

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration i...

EUVD-2026-28040

Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-7968

Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

PT-2026-37234

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 2.18.0 Description Origin header validation uses the re.match function to check incoming origins against the allow origin pat configuration value. Because re.match only anchors at the start of the string and do...

PT-2026-38161

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description Insufficient validation of untrusted input in Cross-Origin Resource Sharing CORS—a mechanism that allows restricted resources on a web page to be requested from another domain—enables a...

CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...