{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cors/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-34449"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34449","rce","siyuan","cors"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan is a personal knowledge management system. Versions prior to 3.6.2 contain a critical vulnerability (CVE-2026-34449) that allows a malicious website to execute arbitrary code on any desktop running the application. This is achieved by exploiting an overly permissive Cross-Origin Resource Sharing (CORS) policy (\u0026ldquo;Access-Control-Allow-Origin: *\u0026rdquo; combined with \u0026ldquo;Access-Control-Allow-Private-Network: true\u0026rdquo;). An attacker can inject a JavaScript snippet into the application via its API. This injected code then executes in the context of Electron\u0026rsquo;s Node.js environment, granting the attacker full operating system access. The vulnerability is triggered simply by a user visiting a malicious website while SiYuan is running. The issue has been addressed and patched in version 3.6.2 of SiYuan. This RCE can allow attackers to steal data, install malware, or perform other malicious activities on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim launches the SiYuan application on their desktop (Windows, Linux, or macOS).\u003c/li\u003e\n\u003cli\u003eVictim visits a malicious website in a web browser while SiYuan is running.\u003c/li\u003e\n\u003cli\u003eThe malicious website leverages the permissive CORS policy of SiYuan.\u003c/li\u003e\n\u003cli\u003eThe malicious website sends an API request to the running SiYuan instance.\u003c/li\u003e\n\u003cli\u003eThis API request injects a malicious JavaScript payload into SiYuan.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored within SiYuan\u0026rsquo;s data.\u003c/li\u003e\n\u003cli\u003eThe next time the user opens SiYuan\u0026rsquo;s UI, the injected JavaScript code executes within Electron\u0026rsquo;s Node.js context.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full OS access and can perform arbitrary actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34449 allows for complete compromise of the user\u0026rsquo;s system. The attacker can steal sensitive data, install persistent backdoors, or deploy ransomware. Given SiYuan\u0026rsquo;s purpose as a knowledge management system, it likely holds valuable and sensitive personal or business information. The impact is significant due to the ease of exploitation requiring no user interaction beyond visiting a malicious website.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade SiYuan to version 3.6.2 or later to patch CVE-2026-34449.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual API requests originating from web browsers, as this could indicate exploitation attempts. Deploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect Suspicious SiYuan API Access from Web Browser\u0026quot;\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict CORS policies for web applications to prevent unauthorized cross-origin requests.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and monitor for unexpected processes spawned from SiYuan, as this could be a sign of successful RCE. Deploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect Processes Spawned from SiYuan Indicating RCE\u0026quot;\u003c/code\u003e to detect this.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T22:17:16Z","date_published":"2026-03-31T22:17:16Z","id":"/briefs/2026-04-siyuan-rce/","summary":"SiYuan versions prior to 3.6.2 are vulnerable to remote code execution (RCE) via a malicious website exploiting a permissive CORS policy to inject a JavaScript snippet, leading to arbitrary code execution within the application's Node.js context.","title":"SiYuan Knowledge Management System RCE via Malicious Website","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["glances","cors","information-disclosure","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Glances system monitoring tool, when run in server mode using the XML-RPC interface (initiated with \u003ccode\u003eglances -s\u003c/code\u003e or \u003ccode\u003eglances --server\u003c/code\u003e), is vulnerable to a cross-origin information disclosure. This vulnerability exists because the XML-RPC server sends the \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e header on every HTTP response without validating the \u003ccode\u003eContent-Type\u003c/code\u003e header. An attacker can exploit this by crafting a CORS \u0026ldquo;simple request\u0026rdquo; (a POST request with \u003ccode\u003eContent-Type: text/plain\u003c/code\u003e) containing a valid XML-RPC payload.  Because browsers do not send a preflight OPTIONS request for simple requests, the attacker can bypass CORS protections and retrieve sensitive data. This affects Glances versions up to and including 4.5.1.  The separate REST API was patched in 4.5.1 (CVE-2026-32610), but the XML-RPC component remains vulnerable (CVE-2026-33533).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target running Glances in XML-RPC server mode, typically on port 61209 (\u003ccode\u003eglances -s -p 61209\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious webpage containing JavaScript code to send a POST request to the Glances XML-RPC endpoint (\u003ccode\u003e/RPC2\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes an XML-RPC payload within the body (e.g., \u003ccode\u003e\u0026lt;?xml version=\u0026quot;1.0\u0026quot;?\u0026gt;\u0026lt;methodCall\u0026gt;\u0026lt;methodName\u0026gt;getAll\u0026lt;/methodName\u0026gt;\u0026lt;/methodCall\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is sent with the \u003ccode\u003eContent-Type\u003c/code\u003e header set to \u003ccode\u003etext/plain\u003c/code\u003e to qualify as a CORS \u0026ldquo;simple request,\u0026rdquo; bypassing the need for a preflight OPTIONS request.\u003c/li\u003e\n\u003cli\u003eThe Glances XML-RPC server processes the request regardless of the \u003ccode\u003eContent-Type\u003c/code\u003e due to missing validation in \u003ccode\u003eGlancesXMLRPCHandler.send_my_headers\u003c/code\u003e in \u003ccode\u003eserver.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server responds with the requested system monitoring data and includes the \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code parses the XML response and extracts the sensitive system information, including hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list with command lines.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to a remote server or displays it within the malicious webpage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to steal sensitive system information from any Glances instance running in server mode without authentication.  This includes hostname, OS version, IP addresses, CPU/memory/disk/network statistics, and a full process list, which can expose sensitive credentials or internal paths contained within command-line arguments.  The default configuration for Glances has no authentication enabled, making all instances vulnerable out-of-the-box, impacting any user running Glances in server mode on a network-accessible interface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable the Glances XML-RPC server (\u003ccode\u003eglances -s\u003c/code\u003e) if it\u0026rsquo;s not required, as this is the root cause of the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Glances XML-RPC getAll Request\u003c/code\u003e to detect exploitation attempts against the XML-RPC endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for POST requests with \u003ccode\u003eContent-Type: text/plain\u003c/code\u003e to the \u003ccode\u003e/RPC2\u003c/code\u003e endpoint of Glances servers, using the IOC \u003ccode\u003eurl: http://TARGET_IP:61209/RPC2\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade Glances to a patched version that addresses CVE-2026-33533 when a patch becomes available. Currently, the provided source indicates no patch exists even in the latest dev branch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T17:01:44Z","date_published":"2026-03-30T17:01:44Z","id":"/briefs/2026-05-glances-xmlrpc-cors/","summary":"The Glances XML-RPC server exposes sensitive system information due to a permissive CORS policy and missing Content-Type validation, enabling attackers to bypass CORS restrictions and steal data like hostnames, OS details, IP addresses, and process lists.","title":"Glances XML-RPC Server Cross-Origin Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-05-glances-xmlrpc-cors/"}],"language":"en","title":"CraftedSignal Threat Feed — Cors","version":"https://jsonfeed.org/version/1.1"}