Skip to main content

Cors Misconfiguration EUVDEUVD-2026-17363

| CVE-2026-0397 LOW
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-03-31 OX
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
SUSE
LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 12:15 euvd
EUVD-2026-17363
Analysis Generated
Mar 31, 2026 - 12:15 vuln.today
CVE Published
Mar 31, 2026 - 11:53 nvd
LOW 3.1

DescriptionCVE.org

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

AnalysisAI

Cross-Origin Resource Sharing (CORS) misconfiguration in PowerDNS dnsdist's internal webserver allows remote attackers to extract sensitive configuration information from the dashboard through a social engineering attack targeting authenticated administrators. An attacker can trick an admin into visiting a malicious website, which then leverages the misconfigured CORS policy to read dashboard API responses containing running configuration details. The vulnerability requires the internal webserver to be enabled (disabled by default) and user interaction, resulting in limited confidentiality impact with no integrity or availability risk.

Technical ContextAI

PowerDNS dnsdist is a DNS load balancer and traffic distribution tool that includes an optional internal webserver providing a REST API for dashboard and configuration access. The vulnerability stems from improper CORS policy configuration on this webserver, which controls whether cross-origin requests from arbitrary domains are permitted. CORS (Cross-Origin Resource Sharing) is a browser security mechanism that by default prevents JavaScript running on one domain from accessing resources on another domain. When misconfigured, an attacker-controlled website can make authenticated requests to the dnsdist dashboard API running on a victim administrator's localhost or internal network, bypassing the intended browser same-origin policy. The affected product is PowerDNS dnsdist across all versions, as identified in the CPE string cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*.

RemediationAI

Apply the vendor-released security patch provided by PowerDNS. Immediately review the security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for the specific patched version number and upgrade instructions. If the internal webserver is not in use, the simplest mitigation is to confirm it remains disabled in the configuration (default setting). For deployments where the webserver is required, apply the patch as soon as feasible and consider implementing network-level access controls to restrict access to the webserver to trusted administrative networks only, reducing the likelihood of a successful social engineering attack reaching the vulnerable interface.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Vendor StatusVendor

Debian

dnsdist
Release Status Fixed Version Urgency
bullseye fixed (unfixed) end-of-life
bookworm fixed (unfixed) end-of-life
trixie vulnerable 1.9.10-1+deb13u1 -
forky vulnerable 2.0.2-1 -
sid fixed 2.0.3-1 -
(unstable) fixed 2.0.3-1 -

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-17363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy