Skip to main content

Cors Misconfiguration

61 CVEs product

Monthly

CVE-2026-61736 CRITICAL PATCH Act Now

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, credentialed API calls on behalf of a logged-in victim because the server ships with CORS_ORIGINS=* paired with allow_credentials=True. When an authenticated LightRAG user browses to an attacker-controlled page, that page can silently read documents and knowledge-graph data or issue destructive requests such as deleting the entire document store. No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the fix is confirmed released in version 1.5.4.

Cors Misconfiguration Information Disclosure Lightrag
NVD GitHub
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-8919 HIGH This Week

Credential theft in ASUS GameSDK allows a remote attacker to capture a local user's NTLM hash by luring them to a crafted web page that abuses a permissive cross-domain policy to send a UNC-path request to GameSDK's local service endpoint. The flaw affects systems running the ASUS GameSDK local service (bundled with ASUS gaming utilities) and requires the victim to visit an attacker-controlled page (UI required); no authentication is needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the leaked NTLM material can be relayed or cracked to reach other services.

Cors Misconfiguration Information Disclosure Gamesdk
NVD
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-56458 HIGH This Week

Sensitive-information disclosure in HCL DevOps Deploy (formerly UrbanCode Deploy) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 stems from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict allowed origins to trusted domains. Because the application accepts or reflects arbitrary origins, an attacker-controlled web page can issue cross-origin credentialed requests against an authenticated user's session to read protected data and invoke privileged actions. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC rates exploitation as none.

Cors Misconfiguration Information Disclosure Hcl Devops Deploy
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55110 MEDIUM PATCH This Month

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).

Ubiquiti Cors Misconfiguration Information Disclosure Unifi Os Server Dream Machines +10
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12084 HIGH This Week

Sensitive information disclosure and unauthorized privileged actions in IBM DevOps Deploy (formerly UrbanCode Deploy/UCD) versions 8.1.0 through 8.1.2.6 and 8.2.0 through 8.2.1.0 stem from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict requests to trusted domains. An attacker who lures an authenticated user to a malicious web page can leverage the victim's session across origins to read confidential data and invoke privileged operations. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile), consistent with CISA SSVC scoring exploitation as 'none'.

IBM Cors Misconfiguration Information Disclosure Devops Deploy
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-57957 LOW Monitor

CORS misconfiguration in Papermark through version 0.22.0 enables unauthenticated remote attackers to silently perform credentialed cross-origin file uploads into authenticated victims' datarooms and read credentialed server responses. The TUS-based viewer upload endpoint reflects arbitrary caller Origins while returning Access-Control-Allow-Credentials: true, violating the fundamental CORS security contract and allowing any attacker-controlled webpage to abuse a victim's active session. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; exploitation is constrained by the requirement for victim user interaction.

Cors Misconfiguration Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-56076 HIGH PATCH This Week

Cross-origin agent execution in PraisonAI's AGUI endpoint allows any attacker-controlled website to silently invoke locally-running agents and exfiltrate their streaming responses, including tool execution results and sensitive environment data. The flaw stems from a triad of issues - no authentication on POST /agui, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing - that together let a simple cross-origin request bypass the browser's preflight check. No public exploit identified at time of analysis, but the GHSA advisory publishes a complete attack flow making weaponization trivial.

Cors Misconfiguration RCE Praisonai
NVD GitHub
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-54290 npm HIGH PATCH GHSA This Week

Cross-origin credential exposure in Hono web framework versions prior to 4.12.25 allows arbitrary third-party sites to read responses from cookie-authenticated endpoints when applications enable the CORS middleware with credentials: true and leave origin unset. The middleware reflects the request Origin header alongside Access-Control-Allow-Credentials: true, bypassing the browser's standard wildcard-with-credentials safeguard. No public exploit identified at time of analysis, but the misconfiguration pattern is trivial to weaponize and exploitation only requires luring an authenticated user to visit a malicious page.

Cors Misconfiguration Information Disclosure
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-50088 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Cors Misconfiguration Information Disclosure Aqara Developer Portal Aqara Developer Test Portal
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-50087 MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.

Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-10056 HIGH PATCH This Week

Administrator account takeover in Network Optix Nx Witness VMS before 6.1.2 allows remote unauthenticated attackers to hijack authenticated user sessions through a CORS misconfiguration in the REST API when the product runs in default Standard security mode on Linux or Windows. By luring a logged-in operator to a malicious cross-origin page, the attacker's site can read credentialed REST responses and steal the session token, achieving full administrative takeover; no public exploit identified at time of analysis, but the issue is trivially weaponizable given the well-understood CORS attack pattern.

Microsoft Information Disclosure Cors Misconfiguration
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-9739 Go CRITICAL PATCH GHSA Act Now

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an `Access-Control-Allow-Origin: *` header, which overrides the `allowed-origins`/`allowed-hosts` controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.

Information Disclosure Cors Misconfiguration
NVD GitHub
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-46431 Go MEDIUM PATCH GHSA This Month

Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.

Information Disclosure Cors Misconfiguration Microsoft Apple Canonical
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8948 CRITICAL PATCH Act Now

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Cors Misconfiguration
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-8576 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Linux and ChromeOS allows remote attackers to read sensitive data from other origins via malicious HTML pages exploiting flawed CORS implementation. Affects versions prior to 148.0.7778.168. Google released a patch in their May 2026 stable channel update. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC assessment indicates no current exploitation, non-automatable attack requiring user interaction, with partial technical impact limited to confidentiality breach.

Google Cors Misconfiguration Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8537 MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.168 leak cross-origin data through insufficient policy enforcement in the ViewTransitions API when users interact with specially crafted HTML pages. The vulnerability enables remote attackers to bypass same-origin policy protections and extract sensitive information from other origins without authentication, though exploitation requires user interaction (clicking a link or visiting a malicious page). With EPSS at 0.03% (10th percentile) and no confirmed active exploitation, this represents a moderate information disclosure risk primarily affecting organizations where targeted phishing could deliver malicious pages to Chrome users.

Google Cors Misconfiguration Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41056 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` - the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

PHP Cors Misconfiguration Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-6662 MEDIUM POC This Month

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint without authentication, enabling cross-domain requests from untrusted origins. The vulnerability exists in the cors function of src/server.ts and permits information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS 6.9 score.

Cors Misconfiguration Information Disclosure
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6143 LOW POC PATCH Monitor

Permissive cross-domain policy in farion1231 cc-switch up to version 3.12.3 allows authenticated remote attackers to access sensitive information and modify data across untrusted domains via misconfigured CORS headers in the ProxyServer component. Publicly available exploit code exists, and vendor patches are available; this represents a moderate but actively exploitable configuration flaw affecting networked deployments.

Cors Misconfiguration Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5302 MEDIUM PATCH This Month

CORS misconfiguration in CoolerControl coolercontrold versions 2.0.0 through 3.x allows unauthenticated remote attackers to read sensitive data and send control commands to the service by exploiting browser-based cross-origin requests from malicious websites. The vulnerability requires user interaction (UI:R) but grants attackers capability to leak information and manipulate daemon operations with a CVSS score of 6.3 (medium).

Cors Misconfiguration Information Disclosure Suse
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-5321 LOW POC Monitor

Cross-Origin Resource Sharing (CORS) misconfiguration in vanna-ai vanna up to version 2.0.2 allows authenticated remote attackers to establish permissive cross-domain policies with untrusted domains, leading to information disclosure. The vulnerability affects the FastAPI/Flask Server component and has publicly available exploit code; however, the vendor has not responded to early disclosure attempts. With a CVSS score of 5.3 and confirmed public exploit availability, this represents a moderate-risk authentication-gated information exposure issue.

Cors Misconfiguration Information Disclosure Python
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34449 Go CRITICAL PATCH GHSA Act Now

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. No public exploit identified at time of analysis, though CVSS 9.6 (Critical) reflects network-accessible attack vector with low complexity requiring only user interaction (visiting malicious site while SiYuan runs). EPSS data not provided, but the combination of Electron framework exploitation, RCE impact, and trivial attack complexity suggests elevated real-world risk for desktop users.

RCE Cors Misconfiguration Node.js
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-0397 LOW PATCH Monitor

Cross-Origin Resource Sharing (CORS) misconfiguration in PowerDNS dnsdist's internal webserver allows remote attackers to extract sensitive configuration information from the dashboard through a social engineering attack targeting authenticated administrators. An attacker can trick an admin into visiting a malicious website, which then leverages the misconfigured CORS policy to read dashboard API responses containing running configuration details. The vulnerability requires the internal webserver to be enabled (disabled by default) and user interaction, resulting in limited confidentiality impact with no integrity or availability risk.

Cors Misconfiguration Information Disclosure
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-34237 Maven MEDIUM PATCH GHSA This Month

Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Java Cors Misconfiguration Information Disclosure Python
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33533 PyPI HIGH PATCH GHSA This Week

Cross-origin data exfiltration in Glances XML-RPC server (glances -s) allows any website to steal complete system monitoring data including hostname, OS details, process lists with command-line arguments, and network configuration through CORS misconfiguration. The server sends Access-Control-Allow-Origin: * on all responses and processes XML-RPC POST requests with Content-Type: text/plain without validation, bypassing browser CORS preflight checks. Default deployments run unauthenticated, making all network-accessible instances immediately exploitable. No public exploit identified at time of analysis, though detailed proof-of-concept code is included in the advisory.

Cors Misconfiguration Python Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33010 PyPI HIGH PATCH This Week

A CORS misconfiguration vulnerability in mcp-memory-service allows any malicious website to perform cross-origin requests to the HTTP API. Versions prior to 10.25.1 of mcp-memory-service from doobidoo are affected, particularly when the HTTP server is enabled with anonymous access, allowing attackers to read, modify, and delete all stored memories without authentication. No KEV listing or public exploitation indicators are currently reported, though the vulnerability's simplicity and the availability of a GitHub security advisory suggest proof-of-concept development would be straightforward.

Cors Misconfiguration Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-30924 Go CRITICAL PATCH GHSA Act Now

Misconfigured CORS headers in this web application permit cross-origin requests from any domain, enabling attackers to craft malicious webpages that perform unauthorized actions or exfiltrate sensitive data from victims' browsers when they visit attacker-controlled sites. Although the application is typically deployed on trusted local networks, the vulnerability can be exploited remotely by leveraging victim browsers as intermediaries without requiring direct network access. An attacker can silently harvest credentials, session tokens, or other sensitive information through transparent cross-site requests made on page load.

Information Disclosure Cors Misconfiguration
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-33043 PHP HIGH PATCH This Week

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

Cors Misconfiguration PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32610 PyPI HIGH PATCH This Week

A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.

Python Information Disclosure Docker Cors Misconfiguration Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-9292 LOW Monitor

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface.

Information Disclosure Cors Misconfiguration
NVD
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-55462 MEDIUM This Month

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. [CVSS 6.5 MEDIUM]

Information Disclosure Eramba Cors Misconfiguration
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13019 HIGH PATCH This Week

Same-origin policy bypass in the DOM: Workers component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Authentication Bypass Mozilla
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-13017 HIGH PATCH This Week

Same-origin policy bypass in the DOM: Notifications component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Authentication Bypass Mozilla
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-43480 HIGH PATCH This Week

The issue was addressed with improved checks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Apple Information Disclosure Red Hat Suse
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-43392 MEDIUM PATCH This Month

The issue was addressed with improved handling of caches. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Apple Information Disclosure Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-10529 MEDIUM PATCH This Month

Same-origin policy bypass in the Layout component. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cors Misconfiguration Mozilla
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-27909 MEDIUM This Month

IBM Concert Software 1.0.0 through 1.1.0 uses cross-origin resource sharing (CORS) which could allow an attacker to carry out privileged actions as the domain name is not being limited to only. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration IBM Information Disclosure Concert
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-25234 HIGH This Week

Omnissa UAG contains a Cross-Origin Resource Sharing (CORS) bypass vulnerability. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Unified Access Gateway
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-30354 HIGH POC This Week

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Cors Misconfiguration Bruno
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-2865 LOW Monitor

SaTECH BCU, in its firmware version 2.1.3, could allow XSS attacks and other malicious resources to be stored on the web server. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

XSS Cors Misconfiguration Satech Bcu Firmware
NVD
CVSS 4.0
2.4
EPSS
0.1%
CVE-2024-22348 MEDIUM This Month

IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration IBM Devops Velocity Urbancode Velocity
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-53276 MEDIUM This Month

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Cors Misconfiguration
NVD GitHub
CVSS 4.0
6.3
EPSS
0.5%
CVE-2024-49763 HIGH This Week

PlexRipper is a cross-platform media downloader for Plex. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2024-45642 MEDIUM This Month

IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XSS Cors Misconfiguration Security Qradar Edr
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-10315 MEDIUM This Month

In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2024-6449 MEDIUM This Month

HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Geoportal Toolkit
NVD
CVSS 4.0
5.3
EPSS
0.4%
CVE-2024-41657 Go HIGH POC This Week

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cors Misconfiguration Casdoor
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-41659 Go HIGH POC PATCH This Week

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cors Misconfiguration Memos
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-32862 HIGH This Week

Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Exacqvision Web Service
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-37131 CRITICAL Act Now

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Policy Manager For Secure Connect Gateway
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-21382 MEDIUM PATCH This Month

Microsoft Edge for Android Information Disclosure Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Google Cors Misconfiguration Microsoft Edge Chromium
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2023-46281 HIGH PATCH This Week

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions <. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Cors Misconfiguration Information Disclosure Opcenter Quality Simatic Pcs Neo Sinumerik Integrate Runmyhmi Automotive +1
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-25603 CRITICAL Act Now

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Fortinet Information Disclosure Fortiadc Fortiddos F
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2023-46098 HIGH PATCH This Week

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Cors Misconfiguration Information Disclosure Simatic Pcs Neo
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-2360 HIGH This Week

Sensitive information disclosure due to CORS misconfiguration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Information Disclosure Cyber Infrastructure
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-23464 HIGH This Week

Media CP Media Control Panel latest version. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Information Disclosure Media Control Panel
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-23128 MEDIUM This Month

Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Information Disclosure Connectwise
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-26969 npm CRITICAL PATCH Act Now

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cors Misconfiguration Directus
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-31736 CRITICAL Act Now

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Cors Misconfiguration Firefox Firefox Esr +1
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2021-34435 npm HIGH POC PATCH This Week

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cors Misconfiguration Theia
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2019-14860 MEDIUM This Month

It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cors Misconfiguration Fuse Syndesis
NVD
CVSS 3.1
6.5
EPSS
1.2%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, credentialed API calls on behalf of a logged-in victim because the server ships with CORS_ORIGINS=* paired with allow_credentials=True. When an authenticated LightRAG user browses to an attacker-controlled page, that page can silently read documents and knowledge-graph data or issue destructive requests such as deleting the entire document store. No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the fix is confirmed released in version 1.5.4.

Cors Misconfiguration Information Disclosure Lightrag
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Credential theft in ASUS GameSDK allows a remote attacker to capture a local user's NTLM hash by luring them to a crafted web page that abuses a permissive cross-domain policy to send a UNC-path request to GameSDK's local service endpoint. The flaw affects systems running the ASUS GameSDK local service (bundled with ASUS gaming utilities) and requires the victim to visit an attacker-controlled page (UI required); no authentication is needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the leaked NTLM material can be relayed or cracked to reach other services.

Cors Misconfiguration Information Disclosure Gamesdk
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive-information disclosure in HCL DevOps Deploy (formerly UrbanCode Deploy) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 stems from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict allowed origins to trusted domains. Because the application accepts or reflects arbitrary origins, an attacker-controlled web page can issue cross-origin credentialed requests against an authenticated user's session to read protected data and invoke privileged actions. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC rates exploitation as none.

Cors Misconfiguration Information Disclosure Hcl Devops Deploy
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).

Ubiquiti Cors Misconfiguration Information Disclosure +12
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive information disclosure and unauthorized privileged actions in IBM DevOps Deploy (formerly UrbanCode Deploy/UCD) versions 8.1.0 through 8.1.2.6 and 8.2.0 through 8.2.1.0 stem from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict requests to trusted domains. An attacker who lures an authenticated user to a malicious web page can leverage the victim's session across origins to read confidential data and invoke privileged operations. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile), consistent with CISA SSVC scoring exploitation as 'none'.

IBM Cors Misconfiguration Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 2.3
LOW Monitor

CORS misconfiguration in Papermark through version 0.22.0 enables unauthenticated remote attackers to silently perform credentialed cross-origin file uploads into authenticated victims' datarooms and read credentialed server responses. The TUS-based viewer upload endpoint reflects arbitrary caller Origins while returning Access-Control-Allow-Credentials: true, violating the fundamental CORS security contract and allowing any attacker-controlled webpage to abuse a victim's active session. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; exploitation is constrained by the requirement for victim user interaction.

Cors Misconfiguration Information Disclosure
NVD GitHub VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Cross-origin agent execution in PraisonAI's AGUI endpoint allows any attacker-controlled website to silently invoke locally-running agents and exfiltrate their streaming responses, including tool execution results and sensitive environment data. The flaw stems from a triad of issues - no authentication on POST /agui, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing - that together let a simple cross-origin request bypass the browser's preflight check. No public exploit identified at time of analysis, but the GHSA advisory publishes a complete attack flow making weaponization trivial.

Cors Misconfiguration RCE Praisonai
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-origin credential exposure in Hono web framework versions prior to 4.12.25 allows arbitrary third-party sites to read responses from cookie-authenticated endpoints when applications enable the CORS middleware with credentials: true and leave origin unset. The middleware reflects the request Origin header alongside Access-Control-Allow-Credentials: true, bypassing the browser's standard wildcard-with-credentials safeguard. No public exploit identified at time of analysis, but the misconfiguration pattern is trivial to weaponize and exploitation only requires luring an authenticated user to visit a malicious page.

Cors Misconfiguration Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Cors Misconfiguration Information Disclosure Aqara Developer Portal +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.

Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Administrator account takeover in Network Optix Nx Witness VMS before 6.1.2 allows remote unauthenticated attackers to hijack authenticated user sessions through a CORS misconfiguration in the REST API when the product runs in default Standard security mode on Linux or Windows. By luring a logged-in operator to a malicious cross-origin page, the attacker's site can read credentialed REST responses and steal the session token, achieving full administrative takeover; no public exploit identified at time of analysis, but the issue is trivially weaponizable given the well-understood CORS attack pattern.

Microsoft Information Disclosure Cors Misconfiguration
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an `Access-Control-Allow-Origin: *` header, which overrides the `allowed-origins`/`allowed-hosts` controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.

Information Disclosure Cors Misconfiguration
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.

Information Disclosure Cors Misconfiguration Microsoft +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Cors Misconfiguration
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Linux and ChromeOS allows remote attackers to read sensitive data from other origins via malicious HTML pages exploiting flawed CORS implementation. Affects versions prior to 148.0.7778.168. Google released a patch in their May 2026 stable channel update. EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC assessment indicates no current exploitation, non-automatable attack requiring user interaction, with partial technical impact limited to confidentiality breach.

Google Cors Misconfiguration Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Google Chrome versions prior to 148.0.7778.168 leak cross-origin data through insufficient policy enforcement in the ViewTransitions API when users interact with specially crafted HTML pages. The vulnerability enables remote attackers to bypass same-origin policy protections and extract sensitive information from other origins without authentication, though exploitation requires user interaction (clicking a link or visiting a malicious page). With EPSS at 0.03% (10th percentile) and no confirmed active exploitation, this represents a moderate information disclosure risk primarily affecting organizations where targeted phishing could deliver malicious pages to Chrome users.

Google Cors Misconfiguration Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` - the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

PHP Cors Misconfiguration Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint without authentication, enabling cross-domain requests from untrusted origins. The vulnerability exists in the cors function of src/server.ts and permits information disclosure with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS 6.9 score.

Cors Misconfiguration Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Permissive cross-domain policy in farion1231 cc-switch up to version 3.12.3 allows authenticated remote attackers to access sensitive information and modify data across untrusted domains via misconfigured CORS headers in the ProxyServer component. Publicly available exploit code exists, and vendor patches are available; this represents a moderate but actively exploitable configuration flaw affecting networked deployments.

Cors Misconfiguration Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

CORS misconfiguration in CoolerControl coolercontrold versions 2.0.0 through 3.x allows unauthenticated remote attackers to read sensitive data and send control commands to the service by exploiting browser-based cross-origin requests from malicious websites. The vulnerability requires user interaction (UI:R) but grants attackers capability to leak information and manipulate daemon operations with a CVSS score of 6.3 (medium).

Cors Misconfiguration Information Disclosure Suse
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-Origin Resource Sharing (CORS) misconfiguration in vanna-ai vanna up to version 2.0.2 allows authenticated remote attackers to establish permissive cross-domain policies with untrusted domains, leading to information disclosure. The vulnerability affects the FastAPI/Flask Server component and has publicly available exploit code; however, the vendor has not responded to early disclosure attempts. With a CVSS score of 5.3 and confirmed public exploit availability, this represents a moderate-risk authentication-gated information exposure issue.

Cors Misconfiguration Information Disclosure Python
NVD VulDB GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. No public exploit identified at time of analysis, though CVSS 9.6 (Critical) reflects network-accessible attack vector with low complexity requiring only user interaction (visiting malicious site while SiYuan runs). EPSS data not provided, but the combination of Electron framework exploitation, RCE impact, and trivial attack complexity suggests elevated real-world risk for desktop users.

RCE Cors Misconfiguration Node.js
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-Origin Resource Sharing (CORS) misconfiguration in PowerDNS dnsdist's internal webserver allows remote attackers to extract sensitive configuration information from the dashboard through a social engineering attack targeting authenticated administrators. An attacker can trick an admin into visiting a malicious website, which then leverages the misconfigured CORS policy to read dashboard API responses containing running configuration details. The vulnerability requires the internal webserver to be enabled (disabled by default) and user interaction, resulting in limited confidentiality impact with no integrity or availability risk.

Cors Misconfiguration Information Disclosure
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Java Cors Misconfiguration Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-origin data exfiltration in Glances XML-RPC server (glances -s) allows any website to steal complete system monitoring data including hostname, OS details, process lists with command-line arguments, and network configuration through CORS misconfiguration. The server sends Access-Control-Allow-Origin: * on all responses and processes XML-RPC POST requests with Content-Type: text/plain without validation, bypassing browser CORS preflight checks. Default deployments run unauthenticated, making all network-accessible instances immediately exploitable. No public exploit identified at time of analysis, though detailed proof-of-concept code is included in the advisory.

Cors Misconfiguration Python Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A CORS misconfiguration vulnerability in mcp-memory-service allows any malicious website to perform cross-origin requests to the HTTP API. Versions prior to 10.25.1 of mcp-memory-service from doobidoo are affected, particularly when the HTTP server is enabled with anonymous access, allowing attackers to read, modify, and delete all stored memories without authentication. No KEV listing or public exploitation indicators are currently reported, though the vulnerability's simplicity and the availability of a GitHub security advisory suggest proof-of-concept development would be straightforward.

Cors Misconfiguration Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Misconfigured CORS headers in this web application permit cross-origin requests from any domain, enabling attackers to craft malicious webpages that perform unauthorized actions or exfiltrate sensitive data from victims' browsers when they visit attacker-controlled sites. Although the application is typically deployed on trusted local networks, the vulnerability can be exploited remotely by leveraging victim browsers as intermediaries without requiring direct network access. An attacker can silently harvest credentials, session tokens, or other sensitive information through transparent cross-site requests made on page load.

Information Disclosure Cors Misconfiguration
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

Cors Misconfiguration PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.

Python Information Disclosure Docker +2
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface.

Information Disclosure Cors Misconfiguration
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. [CVSS 6.5 MEDIUM]

Information Disclosure Eramba Cors Misconfiguration
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Same-origin policy bypass in the DOM: Workers component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Authentication Bypass Mozilla
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Same-origin policy bypass in the DOM: Notifications component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Authentication Bypass Mozilla
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

The issue was addressed with improved checks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Apple Information Disclosure +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The issue was addressed with improved handling of caches. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Apple Information Disclosure +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in the Layout component. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cors Misconfiguration Mozilla
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

IBM Concert Software 1.0.0 through 1.1.0 uses cross-origin resource sharing (CORS) which could allow an attacker to carry out privileged actions as the domain name is not being limited to only. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration IBM Information Disclosure +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Omnissa UAG contains a Cross-Origin Resource Sharing (CORS) bypass vulnerability. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Unified Access Gateway
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Cors Misconfiguration Bruno
NVD GitHub
EPSS 0% CVSS 2.4
LOW Monitor

SaTECH BCU, in its firmware version 2.1.3, could allow XSS attacks and other malicious resources to be stored on the web server. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

XSS Cors Misconfiguration Satech Bcu Firmware
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration IBM +2
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Cors Misconfiguration
NVD GitHub
EPSS 1% CVSS 8.7
HIGH This Week

PlexRipper is a cross-platform media downloader for Plex. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XSS Cors Misconfiguration +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Geoportal Toolkit
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cors Misconfiguration Casdoor
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cors Misconfiguration Memos
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Exacqvision Web Service
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cors Misconfiguration Policy Manager For Secure Connect Gateway
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Microsoft Edge for Android Information Disclosure Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Google Cors Misconfiguration +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions <. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Cors Misconfiguration Information Disclosure Opcenter Quality +3
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Fortinet Information Disclosure +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Cors Misconfiguration Information Disclosure Simatic Pcs Neo
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive information disclosure due to CORS misconfiguration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Information Disclosure Cyber Infrastructure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Media CP Media Control Panel latest version. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Information Disclosure Media Control Panel
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cors Misconfiguration Information Disclosure Connectwise
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cors Misconfiguration Directus
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Cors Misconfiguration +3
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cors Misconfiguration Theia
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cors Misconfiguration Fuse +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy