CVE-2026-52843
9.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials, allowing an attacker-controlled origin in a Lightpanda session to issue authenticated cross-origin requests against a victim origin. This issue is fixed in version 0.2.9.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| lightpanda-io | browser | < 0.2.9 | affected |
Weaknesses
- CWE-346: CWE-346: Origin Validation Error
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/lightpanda-io/browser/security/advisories/GHSA-36mm-v3c2-24cc
- https://github.com/lightpanda-io/browser/pull/2155
- https://github.com/lightpanda-io/browser/commit/2cdaac780bed65db98bbb6ed2ad5bc6011863c76
- https://github.com/lightpanda-io/browser/releases/tag/0.2.9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.