CVE-2026-42281
published 2026-05-14CVE-2026-42281: MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors…
PriorityP267high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.62%
73.1th percentile
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magicmirror | magicmirror | < 2.36.0 | 2.36.0 |
| magicmirrororg | magicmirror | < 2.36.0 | 2.36.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/cors?url=http://127.0.0.1:8080/version
sigma
detection: keywords: - '/cors?url=' condition: keywords
- →Detect unauthenticated GET requests to the /cors endpoint with a 'url' query parameter — this is the direct attack vector for SSRF exploitation.
- →Monitor for requests to /cors?url= targeting internal/loopback addresses (127.0.0.1, 169.254.169.254, 10.x, 172.16.x, 192.168.x) which indicate SSRF abuse against internal networks or cloud metadata services. ↗
- →Watch for out-of-band DNS interactions triggered via /cors?url= with an external collaborator/interactsh URL, indicating blind SSRF probing.
- →The /cors endpoint expands environment variable placeholders in the format **VAR_NAME**, so monitor response bodies for patterns matching environment variable values (secrets, tokens) being returned to external requesters. ↗
- →Use Shodan to identify exposed MagicMirror instances via the title fingerprint, then probe for the vulnerable /cors endpoint.
- ·The vulnerability is unauthenticated — no credentials or session tokens are required to exploit the /cors endpoint, meaning any network-accessible MagicMirror instance is at risk. ↗
- ·The Nuclei template uses a two-step flow: first confirm the target is a MagicMirror instance (body contains 'MagicMirror'), then probe the /cors endpoint. Detection logic stops at first match between the localhost probe and the OOB DNS probe.
- ·Affected versions are all releases prior to 2.36.0 (i.e., <= 2.35.0). The fix is exclusively in version 2.36.0 and later. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MagicMirrorOrg MagicMirror up to 2.35.x Endpoint /cors server-side request forgery (GHSA-ph6f-2cvq-79hq)
vuldb·2026-05-14·CVSS 9.2
CVE-2026-42281 [CRITICAL] MagicMirrorOrg MagicMirror up to 2.35.x Endpoint /cors server-side request forgery (GHSA-ph6f-2cvq-79hq)
A vulnerability categorized as critical has been discovered in MagicMirrorOrg MagicMirror up to 2.35.x. Affected by this vulnerability is an unknown functionality of the file /cors of the component Endpoint. The manipulation results in server-side request forgery.
This vulnerability is cataloged as CVE-2026-42281. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
ghsa·2026-05-05
CVE-2026-42281 [CRITICAL] CWE-918 MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
### Summary
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the `/cors` endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (`**VAR_NAME**`), enabling exfiltration of server-side secrets.
### Details
The `/cors` endpoint in `js/server_functions.js` (function `cors()`, lines 37-78) acts as an open HTTP proxy with no authentication and no URL validation. Any user-supplied URL is fetched server-side via `fetch()` and the full response is returned to the caller.
Additionally, the `replaceSecretPlaceholder()` function (lin
No detection rules found.
Nuclei
MagicMirror <= 2.35.0 - Server-Side Request Forgery
nuclei·CVSS 9.2
CVE-2026-42281 [CRITICAL] MagicMirror <= 2.35.0 - Server-Side Request Forgery
MagicMirror <= 2.35.0 - Server-Side Request Forgery
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (VAR_NAME), enabling exfiltration of server-side secrets.
Template:
id: CVE-2026-42281
info:
name: MagicMirror <= 2.35.0 - Server-Side Request Forgery
author: aleff-github
severity: critical
description: |
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata
Bugzilla
CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure [epel-all]
bugzilla·2026-05-15·CVSS 9.2
CVE-2026-42281 [CRITICAL] CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure [epel-all]
CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42281 magicmirror-module-singlestock: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
bugzilla·2026-05-15·CVSS 9.2
CVE-2026-42281 [CRITICAL] CVE-2026-42281 magicmirror-module-singlestock: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
CVE-2026-42281 magicmirror-module-singlestock: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
bugzilla·2026-05-15·CVSS 9.2
CVE-2026-42281 [CRITICAL] CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42281 magicmirror-module-airnow: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
bugzilla·2026-05-15·CVSS 9.2
CVE-2026-42281 [CRITICAL] CVE-2026-42281 magicmirror-module-airnow: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
CVE-2026-42281 magicmirror-module-airnow: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42281 magicmirror-module-onthisday: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
bugzilla·2026-05-15·CVSS 9.2
CVE-2026-42281 [CRITICAL] CVE-2026-42281 magicmirror-module-onthisday: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
CVE-2026-42281 magicmirror-module-onthisday: MagicMirror²: Server-Side Request Forgery leading to information disclosure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure
bugzilla·2026-05-14·CVSS 9.2
CVE-2026-42281 [CRITICAL] CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure
CVE-2026-42281 magicmirror: MagicMirror²: Server-Side Request Forgery leading to information disclosure
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
2026-05-14
Published