CVE-2026-30924

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.

CVSS

No CVSS.

References

Link	Resource
https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f
https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-19 21:17

Updated : 2026-03-20 13:39

NVD link : CVE-2026-30924

Mitre link : CVE-2026-30924

CVE.ORG link : CVE-2026-30924

JSON object : View

Products Affected

No product.

CWE

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

{"id": "CVE-2026-30924", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T21:17:09.943", "references": [{"url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f", "source": "security-advisories@github.com"}, {"url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-942"}]}], "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}, {"lang": "es", "value": "qui es una interfaz web para gestionar instancias de qBittorrent. Las versiones 1.14.1 e inferiores utilizan una pol\u00edtica CORS permisiva que refleja or\u00edgenes arbitrarios y tambi\u00e9n devuelve Access-Control-Allow-Credentials: true, permitiendo efectivamente que cualquier p\u00e1gina web externa realice solicitudes autenticadas en nombre de un usuario con sesi\u00f3n iniciada. Un atacante puede explotar esto enga\u00f1ando a una v\u00edctima para que cargue una p\u00e1gina web maliciosa, la cual interact\u00faa silenciosamente con la aplicaci\u00f3n utilizando la sesi\u00f3n de la v\u00edctima y potencialmente exfiltrando datos sensibles como claves API y credenciales de cuenta, o incluso logrando un compromiso total del sistema a trav\u00e9s del gestor de Programas Externos incorporado. La explotaci\u00f3n requiere que la v\u00edctima acceda a la aplicaci\u00f3n a trav\u00e9s de un nombre de host que no sea localhost y cargue una p\u00e1gina web controlada por el atacante, lo que convierte los ataques de ingenier\u00eda social altamente dirigidos en el escenario m\u00e1s probable en el mundo real. Este problema no fue solucionado en el momento de la publicaci\u00f3n."}], "lastModified": "2026-03-20T13:39:46.493", "sourceIdentifier": "security-advisories@github.com"}