Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-25478

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-09 Feb, 2026 | 18:46
Updated At-10 Feb, 2026 | 16:01
Rejected At-
Credits

Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:09 Feb, 2026 | 18:46
Updated At:10 Feb, 2026 | 16:01
Rejected At:
▼CVE Numbering Authority (CNA)
Litestar has a CORS origin allowlist bypass due to unescaped regex metacharacters in allowed origins

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

Affected Products
Vendor
litestar-org
Product
litestar
Versions
Affected
  • < 2.20.0
Problem Types
TypeCWE IDDescription
CWECWE-942CWE-942: Permissive Cross-domain Policy with Untrusted Domains
Type: CWE
CWE ID: CWE-942
Description: CWE-942: Permissive Cross-domain Policy with Untrusted Domains
Metrics
VersionBase scoreBase severityVector
3.17.4HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2
x_refsource_CONFIRM
https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a
x_refsource_MISC
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
x_refsource_MISC
https://github.com/litestar-org/litestar/releases/tag/v2.20.0
x_refsource_MISC
Hyperlink: https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a
Resource:
x_refsource_MISC
Hyperlink: https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
Resource:
x_refsource_MISC
Hyperlink: https://github.com/litestar-org/litestar/releases/tag/v2.20.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:09 Feb, 2026 | 20:15
Updated At:17 Feb, 2026 | 15:15

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.4HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CPE Matches
litestar
litestar
>>litestar>>Versions before 2.20.0(exclusive)
cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-942Primarysecurity-advisories@github.com
CWE ID: CWE-942
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0security-advisories@github.com
Release Notes
https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5asecurity-advisories@github.com
Patch
https://github.com/litestar-org/litestar/releases/tag/v2.20.0security-advisories@github.com
Release Notes
https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2security-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/litestar-org/litestar/commit/eb87703b309efcc0d1b087dcb12784e76b003d5a
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/litestar-org/litestar/releases/tag/v2.20.0
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/litestar-org/litestar/security/advisories/GHSA-2p2x-hpg8-cqp2
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2022-34366
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 17.26%
||
7 Day CHG-0.14%
Published-10 Feb, 2023 | 19:18
Updated-24 Mar, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.

Action-Not Available
Vendor-Dell Inc.
Product-supportassist_for_home_pcsSupportAssist Client Consumer
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CWE ID-CWE-697
Incorrect Comparison
CVE-2019-14860
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.4||HIGH
EPSS-0.28% / 50.79%
||
7 Day CHG~0.00%
Published-08 Nov, 2019 | 14:45
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.

Action-Not Available
Vendor-[UNKNOWN]Red Hat, Inc.
Product-fusesyndesissyndesis
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2025-55462
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 10.83%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 00:00
Updated-05 Feb, 2026 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration.

Action-Not Available
Vendor-eramban/a
Product-eramban/a
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2025-53092
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 15.83%
||
7 Day CHG+0.01%
Published-16 Oct, 2025 | 16:29
Updated-25 Nov, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.

Action-Not Available
Vendor-Strapi, Inc.
Product-strapistrapi
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-364
Signal Handler Race Condition
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2025-4515
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 19.17%
||
7 Day CHG~0.00%
Published-10 May, 2025 | 20:31
Updated-08 Jul, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zylon PrivateGPT settings.yaml cross-domain policy

A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-pribaiZylon
Product-privategptPrivateGPT
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-697
Incorrect Comparison
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2025-25264
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 9.90%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 09:45
Updated-21 Nov, 2025 | 12:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Overly Permissive CORS Policy in WAGO Device Manager

An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system.

Action-Not Available
Vendor-WAGO
Product-TP600 0762-430x/8000-000xPFC100 G1 0750-810x/xxxx-xxxxEdge Controller 0752-8303/8000-0002TP600 0762-630x/8000-000xPFC200 G1 750-820x-xxx-xxxCC100 0751-9x01TP600 0762-520x/8000-000xTP600 0762-530x/8000-000xTP600 0762-620x/8000-000xPFC100 G2 0750-811x-xxxx-xxxxPFC200 G2 750-821x-xxx-xxxTP600 0762-420x/8000-000x
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
Details not found