Vulnerability in Autobrr Qui

CVE-2026-30924

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any externa…

EPSS: 0.001 (17.4th percentile) — read the EPSS interpretation.

Affected products

Autobrr Qui — versions <= 1.14.1

Weakness classification (CWE)

CWE-942 — Permissive Cross-domain Policy with Untrusted Domains

References

https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch (x_refsource_CONFIRM)
https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f (x_refsource_MISC)