CVE-2026-6662

Summary

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Affected Software

VendorProductVersion RangeStatus
ericc-chcopilot-api0.1affected
ericc-chcopilot-api0.2affected
ericc-chcopilot-api0.3affected
ericc-chcopilot-api0.4affected
ericc-chcopilot-api0.5affected
ericc-chcopilot-api0.6affected
ericc-chcopilot-api0.7.0affected

Weaknesses

  • CWE-942: Permissive Cross-domain Policy with Untrusted Domains
  • CWE-346: Origin Validation Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References