Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-942

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

Parent: CWE-863 - Incorrect Authorization

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

97 vulnerabilities with CWE-942

CVE-2026-50088 HIGH

Aqara Developer Portal cross-origin resource sharing

CVE-2026-50087 HIGH

Aqara IAM/SSO Gateway cross-origin resource sharing

CVE-2026-10056 HIGH

CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request

CVE-2026-46685 MEDIUM

RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console

CVE-2026-45021 MEDIUM

Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

CVE-2026-9739 CRITICAL

Google Mcp Toolbox For Databases - Permissive Cross-domain Security Policy with Untrusted Domains

CVE-2026-44895 CRITICAL

GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools

CVE-2026-46431 MEDIUM

Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

CVE-2026-8948 CRITICAL

Same-origin policy bypass in the DOM: Networking component

CVE-2026-8576 MEDIUM

Google Chrome < 148.0.7778.168 - Cross-Origin Data Leak via CORS Implementation

CVE-2026-8537 MEDIUM

Google Chrome < 148.0.7778.168 - Cross-Origin Data Leak via ViewTransitions

CVE-2026-44184 HIGH

Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads

CVE-2026-7643 MEDIUM

ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain policy

CVE-2026-7581 MEDIUM

alexta69 MeTube CORS Policy main.py on_prepare cross-domain policy

CVE-2026-41056 HIGH

AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover

CVE-2026-34839 MEDIUM

Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS

CVE-2026-6662 HIGH

ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy

CVE-2026-6143 MEDIUM

farion1231 cc-switch ProxyServer server.rs cross-domain policy

CVE-2026-5302 MEDIUM

Permissive Cross-domain Policy with Untrusted Domains in coolercontrold

CVE-2026-33533 MEDIUM

Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard

CVE-2026-5321 MEDIUM

vanna-ai vanna FastAPI/Flask Server cross-domain policy

CVE-2026-34449 CRITICAL

SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection

CVE-2026-34237 MEDIUM

MCP Java SDK HTTP Transports - Wildcard CORS

CVE-2026-34227 HIGH

Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface

CVE-2026-34200 HIGH

Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port

Page 1 of 4 Next

Details

Vulnerabilities 97

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy