Skip to main content

Cors Misconfiguration EUVDEUVD-2026-21773

| CVE-2026-6143 LOW
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-04-13 VulDB GHSA-rrm6-2q2p-cpx5
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 13, 2026 - 02:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 13, 2026 - 02:04 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 02:00 euvd
EUVD-2026-21773
Analysis Generated
Apr 13, 2026 - 02:00 vuln.today
Patch released
Apr 13, 2026 - 02:00 nvd
Patch available
CVE Published
Apr 13, 2026 - 01:15 nvd
LOW 2.1

DescriptionCVE.org

A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue is some unknown functionality of the file src-tauri/src/proxy/server.rs of the component ProxyServer. The manipulation results in permissive cross-domain policy with untrusted domains. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Permissive cross-domain policy in farion1231 cc-switch up to version 3.12.3 allows authenticated remote attackers to access sensitive information and modify data across untrusted domains via misconfigured CORS headers in the ProxyServer component. Publicly available exploit code exists, and vendor patches are available; this represents a moderate but actively exploitable configuration flaw affecting networked deployments.

Technical ContextAI

The vulnerability stems from improper Cross-Origin Resource Sharing (CORS) policy implementation in the ProxyServer component (src-tauri/src/proxy/server.rs) of cc-switch, a Tauri-based application framework. The root cause is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), indicating that the application fails to properly validate or restrict which domains are allowed to make cross-origin requests. This misconfiguration enables malicious or compromised domains to interact with the cc-switch proxy server, bypassing same-origin policy protections that normally isolate web applications. The Tauri framework integration means this affects both desktop and web-based deployments of cc-switch that rely on the proxy server for inter-domain communication.

RemediationAI

Upgrade farion1231 cc-switch to version 3.12.4 or later, which includes the fix committed via https://github.com/farion1231/cc-switch/pull/1915. This patch addresses the permissive CORS policy by implementing stricter domain validation and proper cross-origin request filtering. In the interim, if an immediate upgrade is not feasible, restrict network access to the ProxyServer component to trusted internal networks only, and review the CORS configuration in src-tauri/src/proxy/server.rs to manually enforce a whitelist of allowed domains. Monitor application logs for cross-origin requests from unexpected domains. For deployment guidance, consult the vendor advisory at https://vuldb.com/vuln/357007.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Share

EUVD-2026-21773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy