CVE-2026-37737

sanic-cors version 2.2.0 and prior contains an improper regular expression in the trymatch function in saniccors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain...

CVE-2026-41056

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

PT-2026-46962

sanic-cors version 2.2.0 and prior contains an improper regular expression in the try match function in sanic cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain...

CVE-2026-37737

sanic-cors version 2.2.0 and prior contains an improper regular expression in the trymatch function in saniccors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain...

Missing Origin Validation in WebSockets

Overview kanban is an A kanban foundation for coding agents Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets due to the lack of enforcement of origin and host policy. An attacker can gain unauthorized access to sensitive data and perform actions on behal...

CVE-2026-46431

CVE-2026-46431 affects Algernon’s SSE event server prior to version 1.17.7, where Access-Control-Allow-Origin was hardcoded to “*”. This allowed cross-origin EventSource connections to read the live filename stream, compromising confidentiality. The issue is fixed in 1.17.7; upgrading to that ver...

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the /ajax-api endpoints. An attacker can gain unauthorized access to the Assistant's configuration and execute arbitrary commands by sending crafted cross-origin requests from a malicious webpage. Remediation...

CVE-2026-2611

Vulnerability summary (CVE-2026-2611) : In MLflow 3.9.0, the MLflow Assistant’s /ajax-api endpoints had improper origin validation, allowing remote attackers to bypass the loopback-only restriction via cross-origin requests from malicious pages. This could let an attacker interact with the MLflow...

EUVD-2026-29726

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials. When DisableAuthForLocalAddresses ...

Insufficient Session Expiration

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Insufficient Session Expiration via misconfiguration of the CORSMiddleware module and improper session management. An attacker can gain unauthorized access and execute arbitrary code by enticing an...

CVE-2026-41056

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

CVE-2026-34373

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This...

CVE-2026-33749

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such...

CVE-2026-28861

A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able to access script message handlers intended for other origins...

PT-2026-25012

Summary The TinaCMS CLI dev server combines a permissive CORS configuration Access-Control-Allow-Origin: with the path traversal vulnerability previously reported to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary...

PT-2026-21376

Name of the Vulnerable Software and Affected Versions CollabPlatform affected versions not specified Description The application’s Appwrite project is misconfigured, allowing arbitrary origins in Cross-Origin Resource Sharing CORS responses while also permitting credentialed requests. This allows...

CVE-2025-9292

CVE-2025-9292 affects TP-Link Omada Cloud Controller. A permissive web security configuration may bypass cross-origin restrictions in certain conditions, enabling potential unauthorized disclosure of sensitive data. Exploitation requires an existing client-side injection vulnerability and access ...

MiracleLinux 9 : firefox-128.3.0-1.el9_4.ML.1 (AXSA:2024-8889:32)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8889:32 advisory. firefox: 115.16/128.3 ESR firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and...

MiracleLinux 8 : thunderbird-128.3.0-1.el8_10.ML.1 (AXSA:2024-8894:23)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-8894:23 advisory. thunderbird: 115.16/128.3 firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service CVE-2024-9399 firefox:...

MiracleLinux 9 : thunderbird-128.3.0-1.el9_4.ML.1 (AXSA:2024-8890:22)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-8890:22 advisory. thunderbird: 115.16/128.3 firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service CVE-2024-9399 firefox:...