{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6662", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-20T12:01:50.361Z", "datePublished": "2026-04-20T17:00:17.800Z", "dateUpdated": "2026-04-20T18:09:27.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T17:00:17.800Z"}, "title": "ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-942", "lang": "en", "description": "Permissive Cross-domain Policy with Untrusted Domains"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "Origin Validation Error"}]}], "affected": [{"vendor": "ericc-ch", "product": "copilot-api", "versions": [{"version": "0.1", "status": "affected"}, {"version": "0.2", "status": "affected"}, {"version": "0.3", "status": "affected"}, {"version": "0.4", "status": "affected"}, {"version": "0.5", "status": "affected"}, {"version": "0.6", "status": "affected"}, {"version": "0.7.0", "status": "affected"}], "modules": ["Token Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-20T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-20T14:06:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu_Bao (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/358300", "name": "VDB-358300 | ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358300/cti", "name": "VDB-358300 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/794601", "name": "Submit #794601 | ericc-ch copilot-api 0.7.0 Cross-Origin Token Theft via Wildcard CORS & Open Token Endpoint", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/31", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T18:09:19.525193Z", "id": "CVE-2026-6662", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:09:27.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6662", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T18:09:19.525193Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:09:23.904Z"}}], "cna": {"title": "ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy", "credits": [{"lang": "en", "type": "reporter", "value": "Yu_Bao (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "ericc-ch", "modules": ["Token Endpoint"], "product": "copilot-api", "versions": [{"status": "affected", "version": "0.1"}, {"status": "affected", "version": "0.2"}, {"status": "affected", "version": "0.3"}, {"status": "affected", "version": "0.4"}, {"status": "affected", "version": "0.5"}, {"status": "affected", "version": "0.6"}, {"status": "affected", "version": "0.7.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-20T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-20T14:06:55.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358300", "name": "VDB-358300 | ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358300/cti", "name": "VDB-358300 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/794601", "name": "Submit #794601 | ericc-ch copilot-api 0.7.0 Cross-Origin Token Theft via Wildcard CORS & Open Token Endpoint", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/31", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "Permissive Cross-domain Policy with Untrusted Domains"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "Origin Validation Error"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T17:00:17.800Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6662", "state": "PUBLISHED", "dateUpdated": "2026-04-20T18:09:27.691Z", "dateReserved": "2026-04-20T12:01:50.361Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T17:00:17.800Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used."}], "id": "CVE-2026-6662", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T17:16:39.647", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/August829/CVEP/issues/31"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/794601"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358300"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358300/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-942"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.7.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "copilot-api", "source": "cna", "vendor": "ericc-ch"}, "product": "copilot-api", "vendor": "ericc-ch"}], "analysis": {"en": {"generated_at": "2026-04-20T18:35:37.139319+00:00", "value": {"mitigation_remediation": ["Update ericc-ch copilot-api to the latest release where the cors function validates the Origin header against a whitelist of trusted domains.", "If an update is not immediately available, configure the application to reject requests whose Origin header is not in a manually curated list of trusted domains, replacing the wildcard \"*\" permission.", "Deploy network segmentation or reverse-proxy controls to restrict access to the token endpoint only to internal or known clients until a secure patch is applied."], "summary": {"action": "Apply Patch", "impact": "Exploitation of permissive CORS allows untrusted domains to access the token endpoint, potentially enabling unauthorized data access and credential leakage."}, "threat_synthesis": {"affected_systems": "Impact product is ericc-ch:copilot-api, version 0.7.0 and earlier. The vulnerability has been identified in the source file src/server.ts. No other product versions mentioned. Therefore any deployment of ericc-ch copilot-api up to 0.7.0 is affected.", "description_and_impact": "The vulnerability exists in the cors function of src/server.ts in the Token Endpoint of ericc-ch copilot-api up to 0.7.0. A crafted request can manipulate the CORS configuration, causing the server to allow any origin. This permits cross-origin requests from malicious domains, enabling attackers to retrieve or submit protected data via the token endpoint. The flaw is identified as CWE-346 and CWE-942, highlighting improper validation and insecure direct resource references. The result is potential confidentiality compromise and exploitation of authentication mechanisms.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity. The EPSS score is not available, so the exploitation probability cannot be quantified. The vulnerability is not listed in CISA KeV. The attack can be performed remotely by sending a request to the token endpoint with a crafted Origin header or by exploiting the permissive CORS configuration. As the exploit is public, an attacker can use this to bypass same-origin policy and access sensitive data."}}}}, "created": "2026-04-20T18:45:14.224257+00:00", "updated": "2026-04-22T11:47:30.911378+00:00", "vendors": ["ericc-ch", "ericc-ch$PRODUCT$copilot-api"]}