https://feed.craftedsignal.io/tags/cors/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 31 Mar 2026 22:17:16 +0000https://feed.craftedsignal.io/briefs/2026-04-siyuan-rce/Tue, 31 Mar 2026 22:17:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-siyuan-rce/SiYuan versions prior to 3.6.2 are vulnerable to remote code execution (RCE) via a malicious website exploiting a permissive CORS policy to inject a JavaScript snippet, leading to arbitrary code execution within the application's Node.js context.SiYuan is a personal knowledge management system. Versions prior to 3.6.2 contain a critical vulnerability (CVE-2026-34449) that allows a malicious website to execute arbitrary code on any desktop running the application. This is achieved by exploiting an overly permissive Cross-Origin Resource Sharing (CORS) policy (“Access-Control-Allow-Origin: *” combined with “Access-Control-Allow-Private-Network: true”). An attacker can inject a JavaScript snippet into the application via its API. This injected code then executes in the context of Electron’s Node.js environment, granting the attacker full operating system access. The vulnerability is triggered simply by a user visiting a malicious website while SiYuan is running. The issue has been addressed and patched in version 3.6.2 of SiYuan. This RCE can allow attackers to steal data, install malware, or perform other malicious activities on the victim’s machine.

Attack Chain

1. Victim launches the SiYuan application on their desktop (Windows, Linux, or macOS).
2. Victim visits a malicious website in a web browser while SiYuan is running.
3. The malicious website leverages the permissive CORS policy of SiYuan.
4. The malicious website sends an API request to the running SiYuan instance.
5. This API request injects a malicious JavaScript payload into SiYuan.
6. The injected JavaScript code is stored within SiYuan’s data.
7. The next time the user opens SiYuan’s UI, the injected JavaScript code executes within Electron’s Node.js context.
8. The attacker gains full OS access and can perform arbitrary actions.

Impact

Successful exploitation of CVE-2026-34449 allows for complete compromise of the user’s system. The attacker can steal sensitive data, install persistent backdoors, or deploy ransomware. Given SiYuan’s purpose as a knowledge management system, it likely holds valuable and sensitive personal or business information. The impact is significant due to the ease of exploitation requiring no user interaction beyond visiting a malicious website.

Recommendation

• Immediately upgrade SiYuan to version 3.6.2 or later to patch CVE-2026-34449.
• Monitor network connections for unusual API requests originating from web browsers, as this could indicate exploitation attempts. Deploy the Sigma rule title: "Detect Suspicious SiYuan API Access from Web Browser" to detect this behavior.
• Implement strict CORS policies for web applications to prevent unauthorized cross-origin requests.
• Enable process creation logging and monitor for unexpected processes spawned from SiYuan, as this could be a sign of successful RCE. Deploy the Sigma rule title: "Detect Processes Spawned from SiYuan Indicating RCE" to detect this.

]]>criticaladvisorycve-2026-34449rcesiyuancorshttps://feed.craftedsignal.io/briefs/2026-05-glances-xmlrpc-cors/Mon, 30 Mar 2026 17:01:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-glances-xmlrpc-cors/The Glances XML-RPC server exposes sensitive system information due to a permissive CORS policy and missing Content-Type validation, enabling attackers to bypass CORS restrictions and steal data like hostnames, OS details, IP addresses, and process lists.The Glances system monitoring tool, when run in server mode using the XML-RPC interface (initiated with glances -s or glances --server), is vulnerable to a cross-origin information disclosure. This vulnerability exists because the XML-RPC server sends the Access-Control-Allow-Origin: * header on every HTTP response without validating the Content-Type header. An attacker can exploit this by crafting a CORS “simple request” (a POST request with Content-Type: text/plain) containing a valid XML-RPC payload. Because browsers do not send a preflight OPTIONS request for simple requests, the attacker can bypass CORS protections and retrieve sensitive data. This affects Glances versions up to and including 4.5.1. The separate REST API was patched in 4.5.1 (CVE-2026-32610), but the XML-RPC component remains vulnerable (CVE-2026-33533).

Attack Chain

1. The attacker identifies a target running Glances in XML-RPC server mode, typically on port 61209 (glances -s -p 61209).
2. The attacker crafts a malicious webpage containing JavaScript code to send a POST request to the Glances XML-RPC endpoint (/RPC2).
3. The POST request includes an XML-RPC payload within the body (e.g., <?xml version="1.0"?><methodCall><methodName>getAll</methodName></methodCall>).
4. The request is sent with the Content-Type header set to text/plain to qualify as a CORS “simple request,” bypassing the need for a preflight OPTIONS request.
5. The Glances XML-RPC server processes the request regardless of the Content-Type due to missing validation in GlancesXMLRPCHandler.send_my_headers in server.py.
6. The server responds with the requested system monitoring data and includes the Access-Control-Allow-Origin: * header.
7. The attacker’s JavaScript code parses the XML response and extracts the sensitive system information, including hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list with command lines.
8. The attacker exfiltrates the stolen data to a remote server or displays it within the malicious webpage.

Impact

Successful exploitation allows an attacker to steal sensitive system information from any Glances instance running in server mode without authentication. This includes hostname, OS version, IP addresses, CPU/memory/disk/network statistics, and a full process list, which can expose sensitive credentials or internal paths contained within command-line arguments. The default configuration for Glances has no authentication enabled, making all instances vulnerable out-of-the-box, impacting any user running Glances in server mode on a network-accessible interface.

Recommendation

• Disable the Glances XML-RPC server (glances -s) if it’s not required, as this is the root cause of the vulnerability.
• Deploy the Sigma rule Detect Glances XML-RPC getAll Request to detect exploitation attempts against the XML-RPC endpoint.
• Monitor network traffic for POST requests with Content-Type: text/plain to the /RPC2 endpoint of Glances servers, using the IOC url: http://TARGET_IP:61209/RPC2.
• Upgrade Glances to a patched version that addresses CVE-2026-33533 when a patch becomes available. Currently, the provided source indicates no patch exists even in the latest dev branch.

]]>highadvisoryglancescorsinformation-disclosurevulnerability