CWE-942
Permissive Cross-domain Security Policy with Untrusted Domains
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CVE-2026-34200 (GCVE-0-2026-34200)
Vulnerability from cvelistv5 – Published: 2026-03-31 13:57 – Updated: 2026-03-31 14:30
VLAI
Title
Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port
Summary
Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nhost/nhost/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/nhost/nhost/pull/4060 | x_refsource_MISC |
| https://github.com/nhost/nhost/commit/15eae9285f9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34200",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:30:33.127356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:30:36.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nhost",
"vendor": "nhost",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer\u0027s locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:57:42.003Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2"
},
{
"name": "https://github.com/nhost/nhost/pull/4060",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nhost/nhost/pull/4060"
},
{
"name": "https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9"
}
],
"source": {
"advisory": "GHSA-6c5x-3h35-vvw2",
"discovery": "UNKNOWN"
},
"title": "Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34200",
"datePublished": "2026-03-31T13:57:42.003Z",
"dateReserved": "2026-03-26T15:57:52.323Z",
"dateUpdated": "2026-03-31T14:30:36.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34227 (GCVE-0-2026-34227)
Vulnerability from cvelistv5 – Published: 2026-03-31 15:25 – Updated: 2026-04-01 14:04
VLAI
Title
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
Summary
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH keys, ntds.dit) or destroying the entire compromised infrastructure, entirely through the operator's own browser. This issue has been patched in version 1.7.4.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/BishopFox/sliver/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34227",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:04:07.996780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:04:12.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-6fpf-248c-m7wm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sliver",
"vendor": "BishopFox",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH keys, ntds.dit) or destroying the entire compromised infrastructure, entirely through the operator\u0027s own browser. This issue has been patched in version 1.7.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:25:32.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-6fpf-248c-m7wm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-6fpf-248c-m7wm"
}
],
"source": {
"advisory": "GHSA-6fpf-248c-m7wm",
"discovery": "UNKNOWN"
},
"title": "Sliver One-Click Remote Access: Insecure CORS \u0026 Unauthenticated MCP Interface"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34227",
"datePublished": "2026-03-31T15:25:32.224Z",
"dateReserved": "2026-03-26T16:22:29.033Z",
"dateUpdated": "2026-04-01T14:04:12.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34237 (GCVE-0-2026-34237)
Vulnerability from cvelistv5 – Published: 2026-03-31 15:40 – Updated: 2026-03-31 18:52
VLAI
Title
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)
Summary
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1.
Severity
6.1 (Medium)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/modelcontextprotocol/java-sdk/… | x_refsource_CONFIRM |
| https://github.com/modelcontextprotocol/java-sdk/… | x_refsource_MISC |
| https://github.com/modelcontextprotocol/java-sdk/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| modelcontextprotocol | java-sdk |
Affected:
< 1.0.1
Affected: < 1.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:50:15.819733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:52:38.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "java-sdk",
"vendor": "modelcontextprotocol",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.1"
},
{
"status": "affected",
"version": "\u003c 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:40:01.070Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22"
},
{
"name": "https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289"
},
{
"name": "https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525"
}
],
"source": {
"advisory": "GHSA-hv2w-8mjj-jw22",
"discovery": "UNKNOWN"
},
"title": "MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34237",
"datePublished": "2026-03-31T15:40:01.070Z",
"dateReserved": "2026-03-26T16:22:29.034Z",
"dateUpdated": "2026-03-31T18:52:38.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34449 (GCVE-0-2026-34449)
Vulnerability from cvelistv5 – Published: 2026-03-31 21:45 – Updated: 2026-04-01 15:52
VLAI
Title
SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Summary
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
Severity
9.7 (Critical)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/siyuan-note/siyuan/security/ad… | x_refsource_CONFIRM |
| https://github.com/siyuan-note/siyuan/issues/17246 | x_refsource_MISC |
| https://github.com/siyuan-note/siyuan/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| siyuan-note | siyuan |
Affected:
< 3.6.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34449",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T15:28:32.206583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:52:56.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "siyuan",
"vendor": "siyuan-note",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron\u0027s Node.js context with full OS access the next time the user opens SiYuan\u0027s UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:45:17.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv"
},
{
"name": "https://github.com/siyuan-note/siyuan/issues/17246",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/issues/17246"
},
{
"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2"
}
],
"source": {
"advisory": "GHSA-68p4-j234-43mv",
"discovery": "UNKNOWN"
},
"title": "SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34449",
"datePublished": "2026-03-31T21:45:17.081Z",
"dateReserved": "2026-03-27T18:18:14.895Z",
"dateUpdated": "2026-04-01T15:52:56.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34839 (GCVE-0-2026-34839)
Vulnerability from cvelistv5 – Published: 2026-04-20 23:09 – Updated: 2026-04-21 19:37
VLAI
Title
Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
Severity
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nicolargo/glances/security/adv… | x_refsource_CONFIRM |
| https://github.com/nicolargo/glances/commit/fdfb9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34839",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:37:18.710681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:37:42.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim\u2019s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T23:09:02.551Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh"
},
{
"name": "https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9"
}
],
"source": {
"advisory": "GHSA-gfc2-9qmw-w7vh",
"discovery": "UNKNOWN"
},
"title": "Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34839",
"datePublished": "2026-04-20T23:09:02.551Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-21T19:37:42.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41056 (GCVE-0-2026-41056)
Vulnerability from cvelistv5 – Published: 2026-04-21 22:35 – Updated: 2026-04-22 13:15
VLAI
Title
AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover
Summary
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.
Severity
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/WWBN/AVideo/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/WWBN/AVideo/commit/caf705f38ea… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41056",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:15:03.935061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:15:07.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c= 29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` \u2014 the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application\u0027s `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T22:35:55.715Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq"
},
{
"name": "https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e"
}
],
"source": {
"advisory": "GHSA-ccq9-r5cw-5hwq",
"discovery": "UNKNOWN"
},
"title": "AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41056",
"datePublished": "2026-04-21T22:35:55.715Z",
"dateReserved": "2026-04-16T16:43:03.173Z",
"dateUpdated": "2026-04-22T13:15:07.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44184 (GCVE-0-2026-44184)
Vulnerability from cvelistv5 – Published: 2026-05-12 17:33 – Updated: 2026-05-12 18:38
VLAI
Title
Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads
Summary
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Cleanuparr/Cleanuparr/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cleanuparr | Cleanuparr |
Affected:
< 2.9.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T18:38:21.790612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T18:38:28.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cleanuparr",
"vendor": "Cleanuparr",
"versions": [
{
"status": "affected",
"version": "\u003c 2.9.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr\u0027s global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin \u2014 including the admin\u0027s permanent API key. This vulnerability is fixed in 2.9.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T17:33:50.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf"
}
],
"source": {
"advisory": "GHSA-rwpc-36mg-fpvf",
"discovery": "UNKNOWN"
},
"title": "Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44184",
"datePublished": "2026-05-12T17:33:50.855Z",
"dateReserved": "2026-05-05T14:39:34.924Z",
"dateUpdated": "2026-05-12T18:38:28.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44895 (GCVE-0-2026-44895)
Vulnerability from cvelistv5 – Published: 2026-05-26 21:08 – Updated: 2026-05-27 13:35
VLAI
Title
GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools
Summary
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/yoda-digital/mcp-gitlab-server… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yoda-digital | mcp-gitlab-server |
Affected:
< 0.6.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44895",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:34:54.695835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:35:15.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mcp-gitlab-server",
"vendor": "yoda-digital",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator\u0027s GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T21:08:13.107Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf"
}
],
"source": {
"advisory": "GHSA-8jr5-6gvj-rfpf",
"discovery": "UNKNOWN"
},
"title": "GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44895",
"datePublished": "2026-05-26T21:08:13.107Z",
"dateReserved": "2026-05-07T21:50:33.546Z",
"dateUpdated": "2026-05-27T13:35:15.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45021 (GCVE-0-2026-45021)
Vulnerability from cvelistv5 – Published: 2026-05-28 17:45 – Updated: 2026-05-28 19:30
VLAI
Title
Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
Summary
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5.
Severity
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/kumahq/kuma/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/kumahq/kuma/pull/16416 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16423 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16424 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16425 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16426 | x_refsource_MISC |
| https://github.com/kumahq/kuma/pull/16427 | x_refsource_MISC |
| https://github.com/kumahq/kuma/commit/8fefa8595d4… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T19:30:17.834875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T19:30:33.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kuma",
"vendor": "kumahq",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.25"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.15"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.13"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.10"
},
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [\".*\"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:45:14.434Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2"
},
{
"name": "https://github.com/kumahq/kuma/pull/16416",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16416"
},
{
"name": "https://github.com/kumahq/kuma/pull/16423",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16423"
},
{
"name": "https://github.com/kumahq/kuma/pull/16424",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16424"
},
{
"name": "https://github.com/kumahq/kuma/pull/16425",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16425"
},
{
"name": "https://github.com/kumahq/kuma/pull/16426",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16426"
},
{
"name": "https://github.com/kumahq/kuma/pull/16427",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/pull/16427"
},
{
"name": "https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907"
}
],
"source": {
"advisory": "GHSA-3vcp-chfh-f6r2",
"discovery": "UNKNOWN"
},
"title": "Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45021",
"datePublished": "2026-05-28T17:45:14.434Z",
"dateReserved": "2026-05-08T16:58:28.896Z",
"dateUpdated": "2026-05-28T19:30:33.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46431 (GCVE-0-2026-46431)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:42 – Updated: 2026-05-26 17:39
VLAI
Title
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *
Summary
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7.
Severity
4.3 (Medium)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/xyproto/algernon/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46431",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T17:38:47.158630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:39:14.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-hw27-4v2q-5qff"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "algernon",
"vendor": "xyproto",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server\u0027s Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller\u0027s Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:42:40.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xyproto/algernon/security/advisories/GHSA-hw27-4v2q-5qff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-hw27-4v2q-5qff"
}
],
"source": {
"advisory": "GHSA-hw27-4v2q-5qff",
"discovery": "UNKNOWN"
},
"title": "Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46431",
"datePublished": "2026-05-26T16:42:40.675Z",
"dateReserved": "2026-05-13T22:18:22.830Z",
"dateUpdated": "2026-05-26T17:39:14.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Architecture and Design, Operation
Strategy: Attack Surface Reduction
Description:
- Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Mitigation
Phases: Architecture and Design, Operation
Strategy: Attack Surface Reduction
Description:
- Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Mitigation
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
No CAPEC attack patterns related to this CWE.