CWE-942 · Permissive Cross-domain Policy with Untrusted Domains

103 CVEs classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). Browse by severity and year.

Top CVEs for CWE-942
CVESeverityScorePublishedSummary
CVE-2022-26969Critical9.82022-12-26In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
CVE-2022-31736Critical9.82022-12-22A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firef…
CVE-2026-34449Critical9.62026-03-31SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running Si…
CVE-2026-30924Critical9.62026-03-19qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also re…
CVE-2026-28792Critical9.62026-03-12Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin…
CVE-2024-25124Critical9.42024-02-21Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the appli…
CVE-2026-8948Critical9.12026-05-19Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
CVE-2026-1181Critical9.02026-01-19Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin req…
CVE-2026-34227High8.82026-03-31Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenti…
CVE-2026-22812High8.82026-01-12OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or an…
CVE-2024-11071High8.82025-04-07Permissive Cross-domain Policy with Untrusted Domains vulnerability in local API server of DestinyECM solution(versions described below) which is developed and…
CVE-2023-38125High8.82024-05-03Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability. This vulnerability allows remote attackers to…
CVE-2021-34435High8.82021-09-01In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it i…
CVE-2026-50088High8.22026-06-12The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request shar…
CVE-2026-50087High8.22026-06-12The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-doma…
CVE-2026-56076High8.12026-06-18PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent exe…
CVE-2026-41056High8.12026-04-21WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any ar…
CVE-2026-33010High8.12026-03-20mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true)…
CVE-2026-33043High8.12026-03-20WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthentica…
CVE-2026-32610High8.12026-03-18Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuratio…