CVE-2026-52842

Summary

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated as http://victim.com, allowing a complete Same-Origin Policy bypass. This issue is fixed in version 0.3.1.

Affected Software

VendorProductVersion RangeStatus
lightpanda-iobrowser< 0.3.1affected

Weaknesses

  • CWE-346: CWE-346: Origin Validation Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References