CRITICAL
MagicMirrorOrg
CVE published 2026-05-14
CVE-2026-42281
CVE-2026-42281 is a critical unauthenticated server-side request forgery (SSRF) vulnerability in MagicMirror²’s /cors endpoint. Before 2.36.0, a remote attacker could make the server issue arbitrary HTTP requests toward internal networks, localhost services, and cloud metadata endpoints. The endpoint also expands environment-variable placeholders (**VAR_NAME), which can expose server-side secrets. The iss [truncated]