Lucene search
K

24 matches found

Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.20 views

PT-2026-46848

Summary The hidden nhost configserver used by nhost dev exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service, including a web page loaded...

5.4CVSS5.9AI score
Exploits0References6
CNNVD
CNNVD
added 2026/05/04 12:0 a.m.9 views

goshs 跨站请求伪造漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs prior to 2.0.2 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of CSRF token verification in the PUT upload handler. Combined with the unconditional...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/20 11:9 p.m.31 views

CVE-2026-34839 Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API /api/4/ that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy Access-Control-Allow-Origin: . This...

8.7CVSS0.00408EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/31 9:45 p.m.21 views

CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScri...

9.6CVSS0.00499EPSS
Exploits1References3
OSV
OSV
added 2026/03/31 9:45 p.m.5 views

CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScri...

9.6CVSS5.9AI score0.00499EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.4 views

CVE-2026-32617

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the...

7.5CVSS5.7AI score0.0041EPSS
Exploits1References1
OSV
OSV
added 2026/03/13 8:7 p.m.6 views

CVE-2026-32617 AnythingLLM Permissable CORS policy

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the...

7.1CVSS5.7AI score0.0041EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/12 8:32 p.m.10 views

TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Summary The TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system Details When running tinacms dev, the CLI...

6.2CVSS5.9AI score0.01025EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/12 8:32 p.m.3 views

GHSA-8PW3-9M7F-Q734 TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS

Summary The TinaCMS CLI dev server combines a permissive CORS configuration Access-Control-Allow-Origin: with the path traversal vulnerability previously reported to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary...

9.6CVSS5.9AI score0.00535EPSS
Exploits1References6
CVE
CVE
added 2026/01/26 5:49 p.m.18 views

CVE-2026-24435

The CVE concerns Shenzhen Tenda W30E V2 firmware versions up to and including 16.01.0.19(5037), which implement a permissive CORS policy on authenticated admin endpoints by setting Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true. This enables attacker-controlle...

7.1CVSS5.9AI score0.00211EPSS
Exploits0References2Affected Software1
VulnCheck KEV
VulnCheck KEV
added 2026/01/23 12:0 a.m.12 views

VulnCheck KEV: CVE-2025-34291

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration alloworigins='' with allowcredentials=True combined with a refresh token cookie configured as SameSite=None allows a malicio...

9.4CVSS6.4AI score0.7889EPSS
In wildExploits3References3
Positive Technologies
Positive Technologies
added 2026/01/12 12:0 a.m.8 views

PT-2026-2315

Name of the Vulnerable Software and Affected Versions OpenCode versions prior to 1.0.216 Description OpenCode, an open source AI coding agent, has an issue where it automatically starts an unauthenticated HTTP server. This allows any local process, or any website due to permissive CORS settings, ...

10CVSS6.3AI score0.16955EPSS
Exploits7References22
OSV
OSV
added 2025/12/05 11:15 p.m.7 views

CVE-2025-34291

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration alloworigins='' with allowcredentials=True combined with a refresh token cookie configured as SameSite=None allows a malicio...

8.8CVSS8.3AI score0.7889EPSS
Exploits3References3
Snyk
Snyk
added 2025/12/05 10:43 p.m.3 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via an overly permissive CORS configuration in the refresh endpoint. An attacker can gain unauthorized access to authentication tokens and execute arbitrary code by enticing a victim to visit a malicious webpage...

9.6CVSS7.7AI score0.7889EPSS
Exploits3References2
RedhatCVE
RedhatCVE
added 2025/03/22 11:24 a.m.7 views

CVE-2024-8489

A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery CSRF due to overly permissive CORS headers. This issue affects the latest commit on the main branch 21161fe. The vulnerability permits an attacker to access all...

8.8CVSS7AI score0.00214EPSS
Exploits0References1
Snyk
Snyk
added 2025/03/20 10:49 a.m.4 views

Cross-site Request Forgery (CSRF)

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to overly permissive CORS settings that allow cross-origin requests from all origins. An attacker can manipulate the state of the...

9.6CVSS6.7AI score0.00474EPSS
Exploits1References2
Snyk
Snyk
added 2025/03/20 10:48 a.m.3 views

Cross-site Request Forgery (CSRF)

Overview agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to overly permissive CORS headers in app.py. Remediation There is no fixed version for agentscope. References - Vulnerability...

8.8CVSS7AI score0.00214EPSS
Exploits0References2
CVE
CVE
added 2025/03/20 10:9 a.m.44 views

CVE-2024-7760

CVE-2024-7760 affects aimhubio/aim (v3.22.0) where the tracking server is vulnerable to Cross‑Site Request Forgery (CSRF) due to overly permissive CORS settings that allow cross-origin requests from all origins. This vulnerability enables CSRF on all endpoints of the tracking server and can be ch...

9.6CVSS8.1AI score0.00474EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2025/03/20 10:9 a.m.11 views

CVE-2024-7760 CSRF in aimhubio/aim

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery CSRF vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can b...

7.4CVSS0.00474EPSS
Exploits1References1
OSV
OSV
added 2023/11/14 11:15 a.m.5 views

CVE-2023-46098

A vulnerability has been identified in SIMATIC PCS neo All versions V4.1. When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This could allow an attacker to trick a legitimate user to trigger unwanted behavior...

8.8CVSS5.7AI score0.00618EPSS
Exploits0References1
Rows per page
Query Builder