Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-942

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

Parent: CWE-863 - Incorrect Authorization

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

97 vulnerabilities with CWE-942

CVE-2026-0397 LOW

Information disclosure via CORS misconfiguration

CVE-2026-33010 HIGH

mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft

CVE-2026-33043 HIGH

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

CVE-2026-30924 CRITICAL

qui CORS Misconfiguration: Arbitrary Origins Trusted

CVE-2026-32610 HIGH

Glances's Default CORS Configuration Allows Cross-Origin Credential Theft

CVE-2026-32617 HIGH

AnythingLLM <= 1.11.1 - Unauthenticated Cross-Origin Resource Sharing Misconfiguration

CVE-2026-28792 CRITICAL

ssw/tinacms/cli < 2.1.8 - Unauthenticated Path Traversal and Arbitrary File Write via CORS Misconfiguration

CVE-2026-27579 HIGH

karnop realtime-collaboration-platform - Origin Validation Error in CORS Configuration

CVE-2026-25478 HIGH

Litestar < 2.20.0 - Permissive Cross-domain Security Policy via Unescaped Regex Metacharacters

CVE-2026-24435 MEDIUM

Shenzhen Tenda W30E V2 <16.01.0.19(5037) - XSS

CVE-2026-1181 CRITICAL

Altium 365 - Improper Access Control via Overly Permissive CORS Policy

CVE-2026-22812 HIGH

OpenCode <1.0.216 - Command Injection

CVE-2025-55274 LOW

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability

CVE-2025-9292 HIGH

TP-Link Omada Cloud Controller - Permissive Cross-domain Security Policy with Untrusted Domains

CVE-2025-13984 MEDIUM

Drupal Next.Js < 1.6.4 and 2.0.0 - Cross-Site Scripting via Permissive Cross-domain Security Policy

CVE-2025-55462 MEDIUM

Eramba Community/Enterprise <3.26.0 - SSRF

CVE-2025-13019 HIGH

Firefox < 140.5.0 and 140.5-140.* and < 145.0 and >=145 - Same-Origin Policy Bypass in DOM Workers

CVE-2025-13017 HIGH

Firefox < 140.5.0 and 140.5-140.* and < 145.0 and >=145 - Same-Origin Policy Bypass via Notifications Component

CVE-2025-43480 HIGH

Safari < 26.1 - Cross-Origin Data Exfiltration via Permissive Security Policy

CVE-2025-43392 MEDIUM

Safari < 26.1 - Cross-Origin Image Data Exfiltration via Cache Handling

CVE-2025-62523 MEDIUM

PILOS < 4.8.0 - Cross-Origin Resource Sharing Misconfiguration via Origin Header Reflection

CVE-2025-53092 MEDIUM

Strapi < 5.20.0 - CORS Misconfiguration via Origin Header Reflection

CVE-2025-11304 MEDIUM

CodeCanyon/ui-lib Mentor LMS <1.1.1 - XSS

CVE-2025-41010 MEDIUM

Hiberus Sintra - Permissive Cross-domain Security Policy with Untrusted Domains

CVE-2025-10529 MEDIUM

Firefox < 140.3.0 and 140.3-140.* - Same-Origin Policy Bypass in Layout Component

Previous Page 2 of 4 Next

Details

Vulnerabilities 97

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy