CVE-2026-57957
Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint
Description
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.
INFO
Published Date :
June 29, 2026, 5:23 p.m.
Last Modified :
June 29, 2026, 5:23 p.m.
Remotely Exploit :
Yes !
Source :
VulnCheck
Affected Products
The following products are affected by CVE-2026-57957
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | MEDIUM | MITRE-CVE | ||||
| CVSS 4.0 | LOW | 83251b91-4cc7-4094-a5c7-464a1b83ea10 |
Solution
- Restrict allowed origins in CORS configuration.
- Disable Access-Control-Allow-Credentials for untrusted origins.
- Validate TUS upload endpoint requests.
- Update Papermark to a secure version.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-57957 vulnerability anywhere in the article.