CVE-2026-30924CRITICAL 9.6EPSS p16.8%

CVE-2026-30924CVE-2026-30924

Description

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 16.8% · 2026-06-18T12:00:27Z
Published2026-03-19
Last modified2026-04-23

Underlying weaknesses· 1

CWE-942

References

  1. https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f
  2. https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch

1

TypeTargetConfidenceTier
WeaknessPermissive Cross-domain Security Policy with Untrusted Domainscwe-9420%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22895
CVE
CVE-2026-26236
CVE
CVE-2025-67325
CVE
CVE-2025-26347
CVE
CVE-2025-39596
CVE
CVE-2026-26237
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.