CVE-2026-27579

HIGH

CollabPlatform - Info Disclosure

Title source: llm

Description

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue authenticated cross-origin requests and read sensitive user account information, including email address, account identifiers, and MFA status. The issue did not have a fix at the time of publication.

Exploits (3)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27579

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by AdityaBhatt3010 · poc

https://github.com/AdityaBhatt3010/CVE-2026-27579-CORS-Misconfiguration-Leading-to-Authenticated-Data-Exposure

View Code ZIP pw:eip

nomisec WORKING POC

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2026-27579-CollabPlatform-Appwrite-CORS-Misconfiguration

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/karnop/realtime-collaboration-platform/security/advisories/GHSA-qh5m-p8jh-hx88

Scores

CVSS v3 7.4

EPSS 0.0001

EPSS Percentile 0.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Details

CWE

CWE-346 CWE-942

Status published

Products (1)

karnop/realtime-collaboration-platform <= master

Published Feb 21, 2026

Tracked Since Feb 21, 2026