EUVD-2026-32003

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: on every response. The structural defect is that the SSE server stands up a stateful,...

CVE-2026-46431

CVE-2026-46431 affects Algernon’s SSE event server prior to version 1.17.7, where Access-Control-Allow-Origin was hardcoded to “*”. This allowed cross-origin EventSource connections to read the live filename stream, compromising confidentiality. The issue is fixed in 1.17.7; upgrading to that ver...

CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

GHSA-9V4J-7G44-QCQW Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

Exploit for Origin Validation Error in Langflow

CVE-2025-34291corssecurityscanner A lightweight Python-base...

SUSE CVE-2026-42091

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

CVE-2026-42091

CVE-2026-42091 affects goshs (Go SimpleHTTPServer). Prior to v2.0.2, the PUT upload handler lacks CSRF validation (unlike POST), and the preflight OPTIONS handler uses Access-Control-Allow-Origin: *. Combined, this enables cross-origin writes of arbitrary files to a goshs instance via the victim’...

CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

CVE-2026-34237

CVE-2026-34237 affects MCP Java SDK. A hardcoded wildcard CORS configuration (Access-Control-Allow-Origin: *) existed in versions before 0.83.0, 1.0.1, and 1.1.1, allowing cross-origin requests to server endpoints (including SSE paths). The issue has been patched in those versions (0.83.0, 1.0.1,...

CVE-2026-34237 MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1...

CVE-2026-32610

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddlewa...

GHSA-G9RG-8VQ5-MPWM mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft

Summary When the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The wildcard Access-Control-Allow-Origin: header permits any website to read API responses...

EUVD-2026-4675

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 implement an insecure Cross-Origin Resource Sharing CORS policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: in combination with Access-Control-Allow-Credentials: true, allowing...

DRUPAL-CONTRIB-2025-122

This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...

UBUNTU-CVE-2019-25211

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/ is allowed when the intention is that only https://example.com/ should be allowed, and http://localhost.example.com/ is allowed when the intention is...

Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard "" while also having the Access-Control-Allow-Credentials set to true...

PT-2024-20765 · Fiber · Fiber

Name of the Vulnerable Software and Affected Versions: Fiber versions prior to 2.52.1 Description: The issue is related to the CORS middleware in Fiber, which allows for insecure configurations. Specifically, it permits setting the Access-Control-Allow-Origin header to a wildcard while also havin...

CVE-2023-52252

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint...

Unified Remote Security Vulnerability

Unified Remote is a smartphone application that enables a cell phone to become a wireless universal remote control. A security vulnerability exists in Unified Remote version 3.13.0, which stems from a security issue in the wildcard Access-Control-Allow-Origin for remote upload endpoints, allowing...