CVE-2026-42281

HIGH NUCLEI

MagicMirror²: Unauthenticated SSRF via /cors endpoint

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42281. PoCs published by Astaruf. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python-based PoC for CVE-2026-42281, an unauthenticated SSRF vulnerability in MagicMirror² ≤ 2.35.0. The exploit leverages the `/cors` endpoint to perform internal network scans, cloud metadata exfiltration, and config extraction.

Description

MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.

Exploits (1)

github WORKING POC

by Astaruf · pythonpoc

https://github.com/Astaruf/CVE-2026-42281

View Code ZIP pw:eip

This repository contains a functional Python-based PoC for CVE-2026-42281, an unauthenticated SSRF vulnerability in MagicMirror² ≤ 2.35.0. The exploit leverages the `/cors` endpoint to perform internal network scans, cloud metadata exfiltration, and config extraction.

Classification

Working Poc 100%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: MagicMirror² ≤ 2.35.0

No auth needed

Prerequisites: Python 3.8+ · Target running MagicMirror² ≤ 2.35.0

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed May 17, 2026 Full analysis →

Nuclei Templates (1)

MagicMirror <= 2.35.0 - Server-Side Request Forgery

CRITICALVERIFIEDby aleff-github

Shodan: http.title:"MagicMirror"

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvq-79hq

Scores

CVSS v3 8.6

EPSS 0.0290

EPSS Percentile 86.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

magicmirror/magicmirror < 2.36.0

MagicMirrorOrg/MagicMirror < 2.36.0

npm/magicmirror 0 - 2.36.0npm

Published May 14, 2026

Tracked Since May 14, 2026