CVE-2026-54290 Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

NPM: hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

NPM: hono: CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

PT-2026-42208

Summary The SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a...

PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

Summary The AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and default...

CVE-2026-32610 Glances's Default CORS Configuration Allows Cross-Origin Credential Theft

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddlewa...