{"id":"CVE-2026-57957","summary":"Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint","details":"Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.","modified":"2026-07-16T03:31:16.186302306Z","published":"2026-06-29T17:23:10.419Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-942"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57957.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57957.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-57957"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/papermark-cors-misconfiguration-in-viewer-upload-endpoint"},{"type":"REPORT","url":"https://github.com/AstoKr/papermark/pull/1"},{"type":"REPORT","url":"https://github.com/papermark/papermark/issues/2178"},{"type":"PACKAGE","url":"https://github.com/papermark/papermark"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/astokr/papermark","events":[{"introduced":"0"},{"fixed":"01c7812941e1a3d832ae54363b37c320611834e0"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"0.22.0"},{"fixed":"0.22.0"}],"source":["AFFECTED_FIELD","DESCRIPTION"]}}],"versions":["v0.21.0","v0.20.0","v0.19.0","v0.18.0","v0.17.0","v0.16.0","v0.15.0","v0.14.0","v0.13.0","v0.12.0","v0.11.0","v0.10.0","v0.9.0","v0.8.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57957.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"}]}