Total
55 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32610 | 2026-03-18 | N/A | 8.1 HIGH | ||
| Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue. | |||||
| CVE-2026-32617 | 1 Mintplexlabs | 1 Anythingllm | 2026-03-16 | N/A | 7.1 HIGH |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests. | |||||
| CVE-2026-28792 | 1 Ssw | 1 Tinacms\/cli | 2026-03-13 | N/A | 9.6 CRITICAL |
| Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8. | |||||
| CVE-2026-27579 | 2026-02-23 | N/A | 7.4 HIGH | ||
| CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication. | |||||
| CVE-2026-25478 | 1 Litestar | 1 Litestar | 2026-02-17 | N/A | 7.4 HIGH |
| Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0. | |||||
| CVE-2025-9292 | 2026-02-13 | N/A | N/A | ||
| A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required. | |||||
| CVE-2025-13984 | 1 Kanopi | 1 Next.js | 2026-02-06 | N/A | 6.1 MEDIUM |
| Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. | |||||
| CVE-2025-55462 | 1 Eramba | 1 Eramba | 2026-02-05 | N/A | 6.5 MEDIUM |
| A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | |||||
| CVE-2026-24435 | 1 Tenda | 2 W30e, W30e Firmware | 2026-02-02 | N/A | 6.5 MEDIUM |
| Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests. | |||||
| CVE-2026-1181 | 2026-01-26 | N/A | 9.0 CRITICAL | ||
| Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. | |||||
| CVE-2026-22812 | 1 Anoma | 1 Opencode | 2026-01-21 | N/A | 8.8 HIGH |
| OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216. | |||||
| CVE-2025-43480 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-17 | N/A | 8.1 HIGH |
| The issue was addressed with improved checks. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. A malicious website may exfiltrate data cross-origin. | |||||
| CVE-2025-43392 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-17 | N/A | 4.3 MEDIUM |
| The issue was addressed with improved handling of caches. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. A website may exfiltrate image data cross-origin. | |||||
| CVE-2025-53092 | 1 Strapi | 1 Strapi | 2025-11-25 | N/A | 6.5 MEDIUM |
| Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist. | |||||
| CVE-2025-25264 | 2025-11-21 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system. | |||||
| CVE-2025-13019 | 1 Mozilla | 1 Firefox | 2025-11-19 | N/A | 8.1 HIGH |
| Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. | |||||
| CVE-2025-13017 | 1 Mozilla | 1 Firefox | 2025-11-19 | N/A | 8.1 HIGH |
| Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. | |||||
| CVE-2025-62523 | 1 Thm | 1 Pilos | 2025-11-04 | N/A | 6.3 MEDIUM |
| PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0 | |||||
| CVE-2025-10529 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 6.5 MEDIUM |
| Same-origin policy bypass in the Layout component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. | |||||
| CVE-2023-37401 | 3 Ibm, Linux, Microsoft | 3 Aspera Faspex, Linux Kernel, Windows | 2025-10-14 | N/A | 5.3 MEDIUM |
| IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted. | |||||