4.3

CVE-2026-0397

EPSS 0%
Veröffentlicht 31.03.2026 11:53:13
Zuletzt bearbeitet 14.04.2026 16:27:53
Quelle security@open-xchange.com
CVE-Watchlists
Login
Unerledigt
Login

Information disclosure via CORS misconfiguration

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Powerdns ≫ Dnsdist Version >= 1.9.0 < 1.9.12

Powerdns ≫ Dnsdist Version >= 2.0.0 < 2.0.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0%	0.002

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
security@open-xchange.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-0397

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0397

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0397

EUVD