Description
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services.
Recommendation
Update the magicmirror package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.35.0
- Patched version(s): 2.36.0
References
Related Issues
- Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
- @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection - CVE-2026-31975
You might also like:
- Tags:
- npm
- magicmirror
Anything's wrong? Let us know Last updated on May 14, 2026


