Tag

Cross-Origin

3 briefs RSS

Network-AI Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret (CVE-2026-46701)

Network-AI is vulnerable to an unauthenticated cross-origin attack due to an empty default secret and permissive CORS configuration, allowing an attacker to lure a user to a malicious web page and invoke MCP tools like config_set, agent_spawn, and blackboard_write against a default-configured localhost server.

Network-AI cve cve-2026-46701 network cross-origin authentication bypass

2r 1t May 21, 2026

high advisory

cpp-httplib Vulnerability Leads to Credential Leakage via HTTP Redirects

2 rules 1 TTP

The cpp-httplib library prior to version 0.39.0 forwards stored authentication credentials to arbitrary hosts via HTTP redirects, potentially exposing sensitive information to malicious actors.

cpp-httplib credential-leak cve-2026-33745 http-redirect credential-access cross-origin

2r 1t Mar 27, 2026

critical advisory

Cline Kanban Server Cross-Origin WebSocket Hijacking Vulnerability

3 rules 4 TTPs 1 IOC

The `kanban` npm package, used by the `cline` CLI, has a cross-origin WebSocket hijacking vulnerability. Due to the lack of Origin header validation, any website can connect to the kanban server via WebSocket and leak sensitive data, hijack running AI agent terminals leading to remote code execution, or kill running agent tasks, resulting in information disclosure, RCE, and denial of service.

cline +1 websocket cross-origin rce infoleak dos

3r 4t 1i Jan 3, 2024