Lucene search
K

10 matches found

EUVD
EUVD
added 2026/05/07 12:31 p.m.15 views

EUVD-2026-28345

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration i...

8.7CVSS6AI score0.00144EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/07 10:12 a.m.8 views

CVE-2026-28201

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration i...

8.7CVSS6AI score0.00144EPSS
Exploits0References2
Veracode
Veracode
added 2026/04/25 5:40 a.m.18 views

Cross-origin Data Exfiltration

Glances is vulnerable to Cross-origin Data Exfiltration. The vulnerability is due to the REST API /api/4/ being exposed without authentication and configured with a permissive CORS policy Access-Control-Allow-Origin: , allowing malicious websites to access and exfiltrate sensitive system...

8.7CVSS5.8AI score0.00408EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/04/21 3:14 p.m.8 views

EUVD-2026-23986

Glances: Cross-Origin Information Disclosure via Unauthenticated REST API /api/4 due to Permissive CORS...

8.7CVSS5.7AI score0.00408EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/21 3:14 p.m.12 views

Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS

Summary The Glances web server exposes a REST API /api/4/ that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy Access-Control-Allow-Origin: . This allows a malicious website to read sensitive system information from a running...

8.7CVSS5.8AI score0.00408EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/20 5:52 a.m.26 views

CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

8.1CVSS0.00345EPSS
Exploits1References2
CVE
CVE
added 2026/03/13 8:7 p.m.14 views

CVE-2026-32617

AnythingLLM prior to 1.11.1 on default installations with no credentials exposes unauthenticated HTTP endpoints and WebSocket, with CORS accepting any origin. The server binds to 127.0.0.1 by default, and browser Private Network Access blocks public-to-private requests, so exploitation is feasibl...

7.5CVSS5.7AI score0.0041EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/13 8:7 p.m.9 views

CVE-2026-32617 AnythingLLM Permissable CORS policy

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the...

7.1CVSS5.7AI score0.0041EPSS
Exploits1References1
OSV
OSV
added 2026/03/12 8:32 p.m.4 views

GHSA-M48G-4WR2-J2H6 TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Summary The TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system Details When running tinacms dev, the CLI...

6.2CVSS5.9AI score0.01025EPSS
Exploits1References3
CNNVD
CNNVD
added 2021/08/16 12:0 a.m.4 views

MockServer 跨站脚本漏洞

MockServer is designed to emulate any server or service, such as a REST or RPC service, over HTTP or HTTPS. MockServer suffers from a cross-site scripting vulnerability that originates from a vulnerability that can trick a victim into visiting a malicious site while running MockServer locally,...

9.6CVSS8.4AI score0.02164EPSS
Exploits1References4
Rows per page
Query Builder