CVE-2026-27192HIGH 8.1EPSS p14.9%

CVE-2026-27192CVE-2026-27192

Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.24% probability of exploitation · percentile 14.9% · 2026-06-19T12:03:05Z
Published2026-02-21
Last modified2026-02-25

Underlying weaknesses· 1

CWE-346

References

  1. https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401
  2. https://github.com/feathersjs/feathers/releases/tag/v5.0.40
  3. https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x

1

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29792
CVE
CVE-2026-2293
CVE
CVE-2025-51605
CVE
CVE-2026-6657
CVE
CVE-2026-32913
CVE
CVE-2026-29793
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.