Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials, allowing an attacker-controlled origin in a Lightpanda session to issue authenticated cross-origin requests against a victim origin. This issue is fixed in version 0.2.9. | |
| Title | Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode | |
| Weaknesses | CWE-346 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T17:37:26.880Z
Reserved: 2026-06-08T18:41:27.724Z
Link: CVE-2026-52843
Updated: 2026-07-15T17:37:21.915Z
No data.
No data.
OpenCVE Enrichment
No data.