369 matches found
EUVD-2026-45231
HCL DevOps Loop is affected by a Cross-Origin Resource Sharing CORS misconfiguration. Improper CORS configuration may allow unauthorized cross-origin requests, potentially exposing application resources to untrusted domains...
CVE-2026-56458
HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...
CVE-2026-57111
Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...
CVE-2026-59804 Midscene Bridge Server - Session Hijack via Unauthenticated WebSocket
Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...
CVE-2026-55110
A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing CORS misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session...
CVE-2026-55110
Summary: CVE-2026-55110 describes a CORS misconfiguration in UniFi OS that could allow a malicious page to trigger actions in UniFi OS using an authenticated user’s session after the user visits a malicious page. Affected software/component: UniFi OS (CORS configuration issue). Root cause: CORS m...
CVE-2026-54833
Unauthenticated Backdoor in Enable CORS = 2.0.3 versions...
Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains (CVE-2026-12084)
Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. CVE-2026-12084. Vulnerability Details...
CVE-2026-56234 Capgo - Password Spraying via Public-Key Accessible Credential Validation Endpoint
Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...
Cross-Origin Resource Sharing (CORS) Misconfiguration
hono is vulnerable to Cross-Origin Resource Sharing CORS Misconfiguration. The vulnerability is due to reflecting arbitrary Origin headers while allowing credentials when no explicit origin is configured, which allows an attacker-controlled website to make authenticated cross-origin requests and...
CVE-2026-50087
Technical details (affected product/version, root cause, remediation) are not publicly available in the provided documents. Monitor for updates.
CVE-2026-36604
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
Jupyter Server 安全漏洞
Jupyter Server is an application developed by the Jupyter organization that provides backend services for Jupyter web applications. There are security vulnerabilities in the version of Jupyter Server from 1.12.0 to 2.17.0. These vulnerabilities stem from the use of re.match in CORS source...
CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request
CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account...
CVE-2026-9739
Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...
CVE-2026-34331
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally...
Chromium: CVE-2026-7968 Insufficient validation of untrusted input in CORS
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
CVE-2026-28201
An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration i...
open-notebook 安全漏洞
Open-Notebook is a privacy-oriented multi-model AI note-taking tool developed by Luis Novo. Version 1.8.1 of Open-Notebook contains a security vulnerability. This vulnerability stems from improper input validation and overly permissive default CORS configurations. It could allow remote attackers ...