CWE-942— Permissive Cross-domain Policy with Untrusted Domains
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.— MITRE CWE catalog
97 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-942page 2 of 2
- CVE-2025-43392MEDIUMCVSS 4.3EG 5.32025-11-04
The issue was addressed with improved handling of caches. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A website may exfiltrate image …
- CVE-2025-43480HIGHCVSS 8.1EG 8.12025-11-04
The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A malicious website may exfiltrate data cross-origin.
- CVE-2025-4515MEDIUMCVSS 4.3EG 4.32025-05-10
A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy…
- CVE-2025-4542LOWCVSS 3.1EG 3.12025-05-11
A vulnerability, which was classified as problematic, has been found in Freeebird Hotel 酒店管理系统 API up to 1.2. Affected by this issue is some unknown functionality of the file /src/main/java/cn/mafangui/hotel/tool/SessionInterce…
- CVE-2025-4839LOWCVSS 3.1EG 3.12025-05-17
A vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /paicoding-core/src/main/java/com/github/paicoding/forum/cor…
- CVE-2025-53092MEDIUMCVSS 6.5EG 6.52025-10-16
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Acc…
- CVE-2025-55462MEDIUMCVSS 6.5EG 6.52026-01-13
A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This per…
- CVE-2025-57755HIGHCVSS 8.1EG 8.12025-08-21
claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credent…
- CVE-2025-62523MEDIUMCVSS 6.3EG 6.32025-10-27
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the…
- CVE-2025-9292HIGHCVSS 7.5EG 7.52026-02-13
A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and…
- CVE-2026-0397LOWCVSS 3.1EG 3.12026-03-31
When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the da…
- CVE-2026-10056HIGHCVSS 7.5EG 7.52026-05-29
CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an…
- CVE-2026-1181CRITICALCVSS 9.0EG 9.02026-01-19
Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. …
- CVE-2026-12084HIGHCVSS 7.5EG 5.42026-06-30
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not b…
- CVE-2026-22812HIGHCVSS 8.8EG 8.82026-01-12
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user…
- CVE-2026-24435MEDIUMCVSS 6.5EG 6.52026-01-26
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in c…
- CVE-2026-25478HIGHCVSS 7.4EG 7.42026-02-09
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because …
- CVE-2026-33533MEDIUMCVSS 6.5EG 6.52026-04-02
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XM…
- CVE-2026-34237MEDIUMCVSS 6.1EG 6.12026-03-31
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and …
- CVE-2026-34839MEDIUMCVSS 6.5EG 6.52026-04-21
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due …
- CVE-2026-41056HIGHCVSS 8.1EG 8.12026-04-21
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access…
- CVE-2026-44184HIGHCVSS 8.0EG 8.02026-05-12
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines i…
- CVE-2026-44895CRITICALCVSS 9.2EG 9.22026-05-26
GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural de…
- CVE-2026-45021MEDIUMCVSS 5.1EG 5.12026-05-28
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any…
- CVE-2026-46431MEDIUMCVSS 4.3EG 4.32026-05-20
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not pref…
- CVE-2026-46608HIGHCVSS 7.4EG 7.42026-06-22
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implement…
- CVE-2026-46685MEDIUMCVSS 6.0EG 6.02026-05-28
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Ori…
- CVE-2026-50087MEDIUMCVSS 6.1EG 8.22026-06-12
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC…
- CVE-2026-50088MEDIUMCVSS 4.7EG 8.22026-06-12
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untru…
- CVE-2026-5302MEDIUMCVSS 6.3EG 6.32026-04-08
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites
- CVE-2026-5321MEDIUMCVSS 4.3EG 4.32026-04-02
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. Th…
- CVE-2026-54290HIGHCVSS 7.1EG 7.12026-06-16
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Acces…
- CVE-2026-54753MEDIUMCVSS 5.9EG 5.92026-06-26
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer v…
- CVE-2026-55110MEDIUMCVSS 6.1EG 7.52026-07-02
A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session.
- CVE-2026-56076HIGHCVSS 8.1EG 8.12026-06-18
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Contro…
- CVE-2026-56458HIGHCVSS 7.5EG 5.42026-07-09
HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
- CVE-2026-57957MEDIUMCVSS 4.7EG 4.72026-06-29
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload en…
- CVE-2026-59148HIGHCVSS 8.8EG 8.82026-07-09
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtime…
- CVE-2026-59726CRITICALCVSS 10.0EG 10.02026-07-09
Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated networ…
- CVE-2026-6143MEDIUMCVSS 6.3EG 6.32026-04-13
A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue is some unknown functionality of the file src-tauri/src/proxy/server.rs of the component ProxyServer. The manipulation results in permissive c…
- CVE-2026-6662HIGHCVSS 7.3EG 7.32026-04-20
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with un…
- CVE-2026-7581MEDIUMCVSS 4.3EG 4.32026-05-01
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrus…
- CVE-2026-7643MEDIUMCVSS 4.3EG 4.32026-05-02
A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. …
- CVE-2026-8537MEDIUMCVSS 4.3EG 4.32026-05-14
Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-8576MEDIUMCVSS 4.3EG 4.32026-05-14
Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-8948CRITICALCVSS 9.1EG 9.12026-05-19
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- CVE-2026-9739CRITICALCVSS 9.4EG 9.42026-05-27
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-…
Map vulnerabilities like CWE-942 to your infrastructure
EchelonGraph correlates every CVE — across CWE-942 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →