CVE-2026-6662
HIGHericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy
Title source: cnaDescription
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
References (4)
Core 4
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-358300 | ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy
https://vuldb.com/vuln/358300
Signature, Permissions Required signature
permissions-required
VDB-358300 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/358300/cti
Third Party Advisory third-party-advisory
Submit #794601 | ericc-ch copilot-api 0.7.0 Cross-Origin Token Theft via Wildcard CORS & Open Token Endpoint
https://vuldb.com/submit/794601
Exploit exploit
issue-tracking
https://github.com/August829/CVEP/issues/31
Scores
CVSS v3
7.3
EPSS
0.0018
EPSS Percentile
7.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-346
CWE-942
Status
published
Products (7)
ericc-ch/copilot-api
0.1
ericc-ch/copilot-api
0.2
ericc-ch/copilot-api
0.3
ericc-ch/copilot-api
0.4
ericc-ch/copilot-api
0.5
ericc-ch/copilot-api
0.6
ericc-ch/copilot-api
0.7.0
Published
Apr 20, 2026
Tracked Since
Apr 20, 2026