VYPR

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

VariantIncomplete

Description

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Hierarchy (View 1000)

Children

none

CVEs mapped to this weakness (62)

page 2 of 4
  • CVE-2026-6662HigApr 20, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to…

  • CVE-2026-41056HigApr 21, 2026
    risk 0.46cvss 8.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This…

  • CVE-2026-33010HigMar 20, 2026
    risk 0.46cvss 8.1epss 0.00

    mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True,…

  • CVE-2024-10315MedNov 11, 2024
    risk 0.45cvss epss 0.00

    In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Reported by Alpha Inferno PVT LTD.

  • CVE-2026-34200HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on…

  • CVE-2025-10529MedSep 16, 2025
    risk 0.42cvss 6.5epss 0.00

    Same-origin policy bypass in the Layout component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

  • CVE-2025-25264MedJun 16, 2025
    risk 0.42cvss 6.5epss 0.00

    An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system.

  • CVE-2023-37526MedMay 14, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning…

  • CVE-2026-5302MedApr 8, 2026
    risk 0.41cvss 6.3epss 0.00

    CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites

  • CVE-2025-11304MedOct 5, 2025
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in CodeCanyon/ui-lib Mentor LMS up to 1.1.1. Affected by this vulnerability is an unknown functionality of the component API. Executing manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The…

  • CVE-2024-53276MedDec 23, 2024
    risk 0.41cvss epss 0.01

    Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings. The following express middleware…

  • CVE-2026-46685MedMay 28, 2026
    risk 0.39cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets…

  • CVE-2026-46608higJun 22, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than…

  • CVE-2026-54290higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses,…

  • CVE-2026-34839MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy…

  • CVE-2026-33533MedApr 2, 2026
    risk 0.35cvss 6.5epss 0.00

    Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the…

  • CVE-2026-6143MedApr 13, 2026
    risk 0.34cvss 6.3epss 0.00

    A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue is some unknown functionality of the file src-tauri/src/proxy/server.rs of the component ProxyServer. The manipulation results in permissive cross-domain policy with untrusted…

  • CVE-2025-41363MedJun 6, 2025
    risk 0.34cvss epss 0.00

    In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.

  • CVE-2026-34237MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1.

  • CVE-2025-41010MedOct 2, 2025
    risk 0.33cvss epss 0.00

    Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in a controlled manner. This request has an “Origin” header that identifies the domain making the initial…