Description
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Published: 2026-05-14
Score: 9.2 Critical
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ph6f-2cvq-79hq MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
History

Thu, 21 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Magicmirror
Magicmirror magicmirror
CPEs cpe:2.3:a:magicmirror:magicmirror:*:*:*:*:*:node.js:*:*
Vendors & Products Magicmirror
Magicmirror magicmirror
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}


Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Magicmirrororg
Magicmirrororg magicmirror
Vendors & Products Magicmirrororg
Magicmirrororg magicmirror

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
Title MagicMirror²: Unauthenticated SSRF via /cors endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}


Subscriptions

Magicmirror Magicmirror
Magicmirrororg Magicmirror
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:51:14.186Z

Reserved: 2026-04-26T12:13:55.550Z

Link: CVE-2026-42281

cve-icon Vulnrichment

Updated: 2026-05-14T18:10:12.010Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T16:16:21.200

Modified: 2026-06-17T10:47:37.633

Link: CVE-2026-42281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:00:16Z

Weaknesses