CVE-2022-31736 — CVSS 9.8 (critical): A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects…
CVE-2026-34449 — CVSS 9.6 (critical): SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on…
CVE-2026-30924 — CVSS 9.6 (critical): qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary…
CVE-2026-9739: Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and…
CVE-2026-8948 — CVSS 9.1 (critical): Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
CVE-2023-38125 — CVSS 8.8 (high): Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability. This vulnerability allows…
CVE-2024-49763: PlexRipper is a cross-platform media downloader for Plex. PlexRipper’s open CORS policy allows attackers to gain sensitive information…
CVE-2026-50088 — CVSS 8.2 (high): The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit…
CVE-2026-50087 — CVSS 8.2 (high): The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942…
CVE-2026-56076 — CVSS 8.1 (high): PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger…
CVE-2026-41056 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in…
CVE-2026-33010 — CVSS 8.1 (high): mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled…
CVE-2026-33043 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID…
CVE-2026-32610 — CVSS 8.1 (high): Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a…
CVE-2025-13019 — CVSS 8.1 (high): Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145…
CVE-2025-13017 — CVSS 8.1 (high): Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird…
CVE-2025-43480 — CVSS 8.1 (high): The issue was addressed with improved checks. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1…
CVE-2024-41659 — CVSS 8.1 (high): memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary…
CVE-2023-23464 — CVSS 8.1 (high): Media CP Media Control Panel latest version. A Permissive Flash Cross-domain Policy may allow information disclosure.
CVE-2023-46098 — CVSS 8.0 (high): A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products…
CVE-2026-55110 — CVSS 7.5 (high): A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration…
CVE-2026-10056 — CVSS 7.5 (high): CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security…
CVE-2025-9292 — CVSS 7.5 (high): A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific…
CVE-2024-37131 — CVSS 7.5 (high): SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated…
CVE-2023-2360 — CVSS 7.5 (high): Sensitive information disclosure due to CORS misconfiguration. The following products are affected: Acronis Cyber Infrastructure (ACI)…
CVE-2026-25478 — CVSS 7.4 (high): Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed…
CVE-2026-54290 — CVSS 7.1 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no…
CVE-2026-32617 — CVSS 7.1 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2025-25234 — CVSS 7.1 (high): Omnissa UAG contains a Cross-Origin Resource Sharing (CORS) bypass vulnerability. A malicious actor with network access to UAG may be able…
CVE-2023-46281 — CVSS 7.1 (high): A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312)…
CVE-2024-10315: In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Reported by Alpha Inferno PVT LTD.
CVE-2026-33533 — CVSS 6.5 (medium): Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances…
CVE-2026-24435 — CVSS 6.5 (medium): Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS)…
CVE-2025-55462 — CVSS 6.5 (medium): A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in…
CVE-2025-10529 — CVSS 6.5 (medium): Same-origin policy bypass in the Layout component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and…
CVE-2025-25264 — CVSS 6.5 (medium): An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly…
CVE-2024-6449 — CVSS 6.5 (medium): HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by…
CVE-2023-37526 — CVSS 6.5 (medium): HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS…
CVE-2019-14860 — CVSS 6.5 (medium): It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this…
CVE-2026-5302 — CVSS 6.3 (medium): CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the…
CVE-2025-62523 — CVSS 6.3 (medium): PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource…
CVE-2024-53276: Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS policy…
CVE-2026-34237 — CVSS 6.1 (medium): MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is…
CVE-2023-23128 — CVSS 6.1 (medium): Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). The vendor's position is that two endpoints have…
CVE-2026-12084 — CVSS 5.4 (medium): IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an…
CVE-2023-25603 — CVSS 5.4 (medium): A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and…