CVE-2026-57957
MEDIUMDescription
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-57957? +
How severe is CVE-2026-57957? +
How do I check if I'm vulnerable to CVE-2026-57957? +
Related Vulnerabilities
Incorrect Cross-Origin Resource Sharing (CORS) configuration in Hiberus Sintra. Cross-Origin Resource Sharing (CORS) allows browsers to make cross-domain requests in …
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to …
In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability …
In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing (CORS). Exploiting this vulnerability …
claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper …
In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. Reported by Alpha Inferno PVT LTD.