Lucene search
+L

11 matches found

EUVD
EUVD
added 2026/07/11 1:1 p.m.8 views

EUVD-2026-43176

PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...

8.8CVSS6.1AI score0.00322EPSS
Exploits0References2
CVE
CVE
added 2026/07/09 6:27 p.m.14 views

CVE-2026-59148

The CVE covers Mockoon prior to version 9.7.0, where the admin API was mounted on the same Express listener as user mock routes with default-enabled, unauthenticated access and permissive CORS (Access-Control-Allow-Origin: ). This allowed any unauthenticated client on the mock server port to: rea...

8.8CVSS6AI score0.00173EPSS
Exploits0References5
CVE
CVE
added 2026/07/08 2:5 p.m.11 views

CVE-2026-10708

CVE-2026-10708 — Summary (Adalo platform) Affected: Adalo’s database API across V1/V2 applications (notably via a minimal leaderboard component). Root cause: Wildcard Cross‑Origin Resource Sharing (CORS), long‑lived JWTs (~20 days) stored client‑side, and absence of token revocation/ownership che...

7.5CVSS6AI score0.00158EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/08 2:5 p.m.9 views

EUVD-2026-42276

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...

6AI score0.00158EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 12:34 a.m.10 views

EUVD-2026-40432

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS5.8AI score0.00136EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/26 9:8 p.m.11 views

CVE-2026-44895 GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: on every response. The structural defect is that the SSE server stands up a stateful,...

9.2CVSS5.8AI score0.00392EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 9:8 p.m.11 views

CVE-2026-44895

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: on every response. The structural defect is that the SSE server stands up a stateful,...

9.2CVSS5.8AI score0.00392EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/26 9:8 p.m.4 views

CVE-2026-44895 GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: on every response. The structural defect is that the SSE server stands up a stateful,...

9.2CVSS6AI score0.00392EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/05/20 3:38 p.m.11 views

NPM: Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

NPM: Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

5.8AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/23 2:28 p.m.17 views

GHSA-RHF7-WVW3-VJVM goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

Summary The PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS preflight handler httpserver/server.go, any website can wri...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.14 views

PT-2026-29161

Name of the Vulnerable Software and Affected Versions MCP Java SDK versions prior to 1.0.1 MCP Java SDK versions prior to 1.1.1 Description The MCP Java SDK contains a hardcoded wildcard Cross-Origin Resource Sharing CORS configuration, specifically setting Access-Control-Allow-Origin to ''. This...

6.1CVSS7.5AI score0.00222EPSS
Exploits0References11
Rows per page
Query Builder