PatchSiren cyber security CVE debrief
CVE-2026-37737 ashleysommer CVE debrief
CVE-2026-37737 is a MEDIUM severity vulnerability in sanic-cors version 2.2.0 and prior. The vulnerability is caused by an improper regular expression in the `try_match()` function in `sanic_cors/core.py` that uses `re.match` without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain unauthorized access to cross-origin requests for authenticated resources.
- Vendor
- ashleysommer
- Product
- sanic-cors
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of sanic-cors version 2.2.0 and prior should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an improper regular expression in the `try_match()` function in `sanic_cors/core.py`. The `re.match` function is used without end-anchoring, which allows an attacker to bypass CORS origin allowlists.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of sanic-cors that is not vulnerable.
- Implement proper CORS configuration to prevent unauthorized access to cross-origin requests.
Evidence notes
The vulnerability was reported in the NVD database and has a CVSS score of 6.5.
Official resources
CVE-2026-37737 was published on 2026-06-05T15:16:51.720Z and modified on 2026-06-05T21:16:30.367Z.