Description
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services.
Recommendation
Update the magicmirror package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.35.0
- Patched version(s): 2.36.0
References
Related Issues
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
- Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint - CVE-2023-46729
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
You might also like:
- Tags:
- npm
- magicmirror
Anything's wrong? Let us know Last updated on May 14, 2026