VYPR

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

VariantIncomplete

Description

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Hierarchy (View 1000)

Children

none

CVEs mapped to this weakness (62)

page 3 of 4
  • CVE-2025-41366MedJun 6, 2025
    risk 0.33cvss epss 0.00

    In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability requires authenticating to the device and executing certain commands that can only be executed with permissions higher…

  • CVE-2026-8576MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-8537MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-7643MedMay 2, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The…

  • CVE-2026-5321MedApr 2, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown functionality of the component FastAPI/Flask Server. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The…

  • CVE-2025-43392MedNov 4, 2025
    risk 0.28cvss 4.3epss 0.00

    The issue was addressed with improved handling of caches. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A website may exfiltrate image data cross-origin.

  • CVE-2026-45021MedMay 28, 2026
    risk 0.26cvss epss 0.00

    Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the…

  • CVE-2026-46431MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the…

  • CVE-2026-7581MedMay 1, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to…

  • CVE-2026-0397LowMar 31, 2026
    risk 0.20cvss 3.1epss 0.00

    When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is…

  • CVE-2026-33043Mar 20, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with…

  • CVE-2026-32610Mar 18, 2026
    risk 0.00cvss epss 0.00

    Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled…

  • CVE-2026-28792Mar 12, 2026
    risk 0.00cvss epss 0.01

    Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote…

  • CVE-2026-25478Feb 9, 2026
    risk 0.00cvss epss 0.00

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a…

  • CVE-2026-22812Jan 12, 2026
    risk 0.00cvss epss 0.17

    OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is…

  • CVE-2025-53092Oct 16, 2025
    risk 0.00cvss epss 0.00

    Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header…

  • CVE-2024-41657Aug 20, 2024
    risk 0.00cvss epss 0.01

    Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to…

  • CVE-2024-41659Aug 20, 2024
    risk 0.00cvss epss 0.01

    memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request,…

  • CVE-2024-23823Mar 14, 2024
    risk 0.00cvss epss 0.00

    vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of…

  • CVE-2023-36829Jul 6, 2023
    risk 0.00cvss epss 0.01

    Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the…