CWE-942 · Permissive Cross-domain Policy with Untrusted Domains
103 CVEs classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-26969 | Critical | 9.8 | 2022-12-26 | In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. |
CVE-2022-31736 | Critical | 9.8 | 2022-12-22 | A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firef… |
CVE-2026-34449 | Critical | 9.6 | 2026-03-31 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running Si… |
CVE-2026-30924 | Critical | 9.6 | 2026-03-19 | qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also re… |
CVE-2026-28792 | Critical | 9.6 | 2026-03-12 | Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin… |
CVE-2024-25124 | Critical | 9.4 | 2024-02-21 | Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the appli… |
CVE-2026-8948 | Critical | 9.1 | 2026-05-19 | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. |
CVE-2026-1181 | Critical | 9.0 | 2026-01-19 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin req… |
CVE-2026-34227 | High | 8.8 | 2026-03-31 | Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenti… |
CVE-2026-22812 | High | 8.8 | 2026-01-12 | OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or an… |
CVE-2024-11071 | High | 8.8 | 2025-04-07 | Permissive Cross-domain Policy with Untrusted Domains vulnerability in local API server of DestinyECM solution(versions described below) which is developed and… |
CVE-2023-38125 | High | 8.8 | 2024-05-03 | Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability. This vulnerability allows remote attackers to… |
CVE-2021-34435 | High | 8.8 | 2021-09-01 | In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it i… |
CVE-2026-50088 | High | 8.2 | 2026-06-12 | The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request shar… |
CVE-2026-50087 | High | 8.2 | 2026-06-12 | The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-doma… |
CVE-2026-56076 | High | 8.1 | 2026-06-18 | PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent exe… |
CVE-2026-41056 | High | 8.1 | 2026-04-21 | WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any ar… |
CVE-2026-33010 | High | 8.1 | 2026-03-20 | mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true)… |
CVE-2026-33043 | High | 8.1 | 2026-03-20 | WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthentica… |
CVE-2026-32610 | High | 8.1 | 2026-03-18 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuratio… |