CVE-2026-46685

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFSCORSALLOWEDORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and...

CVE-2026-46685

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFSCORSALLOWEDORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and...

rustfs 安全漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to 1.0.0-beta.2 contained a security vulnerability. This vulnerability arises when RUSTFSCORSALLOWEDORIGINS is not set; in such cases, ConditionalCorsLayer reflects the Origin value and sets a relaxed...

Exploit for Origin Validation Error in Langflow

CVE-2025-34291corssecurityscanner A lightweight Python-base...

CVE-2026-41057

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...

CVE-2026-41057

CVE-2026-41057 affects WWBN AVideo (versions 29.0 and below). The issue arises from two incomplete CORS mitigations: (1) in plugin/API/router.php (lines 4–8) the server unconditionally reflects arbitrary Origin before application code runs, and (2) get.json.php and set.json.php call allowOrigin(t...

CVE-2026-41056

WWBN AVideo (versions 29.0 and below) is affected by a cross-origin vulnerability where allowOrigin($allowAll=true) reflects arbitrary Origin headers in Access-Control-Allow-Origin together with Access-Control-Allow-Credentials: true. The reflection occurs in objects/functions.php and is invoked ...

CVE-2026-41056 AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

CVE-2026-41056 AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

GHSA-FF5Q-CC22-FGP4 WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses

Summary The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and 2...

WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

GHSA-CCQ9-R5CW-5HWQ WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

Summary /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account...

GHSA-9JFM-9RC6-2HFQ Glances's Default CORS Configuration Allows Cross-Origin Credential Theft

Summary The Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin...

PT-2026-2470

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticat...

PT-2026-25848

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2 Description Glances, a cross-platform system monitoring tool, has a configuration issue in its REST API web server. The default CORS Cross-Origin Resource Sharing configuration sets allow origins to '' and allow...

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

EUVD-2025-204302

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

EUVD-2025-204306

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...