{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30924", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-19T20:45:43.039Z", "dateUpdated": "2026-03-19T20:45:43.039Z"}, "containers": {"cna": {"title": "qui CORS Misconfiguration: Arbitrary Origins Trusted", "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch"}, {"name": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f", "tags": ["x_refsource_MISC"], "url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f"}], "affected": [{"vendor": "autobrr", "product": "qui", "versions": [{"version": "<= 1.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:45:43.039Z"}, "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}], "source": {"advisory": "GHSA-h8vw-ph9r-xpch", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}], "id": "CVE-2026-30924", "lastModified": "2026-03-19T21:17:09.943", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:09.943", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f"}, {"source": "security-advisories@github.com", "url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.14.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "qui", "source": "cna", "vendor": "autobrr"}, "product": "qui", "vendor": "autobrr"}], "analysis": {"en": {"generated_at": "2026-03-19T22:27:00.936849+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or upgrade to the latest version once a fix is released to correct the permissive CORS policy.", "If a patch is not yet available, restrict access to the qui interface so it is only reachable from trusted hosts or over a VPN, and configure the server to reject wildcard origins, thereby blocking external cross\u2011origin requests.", "Disable the External Programs manager in qBittorrent or strictly limit its privileges to reduce the risk of arbitrary code execution.", "Monitor application logs for unexpected cross\u2011origin requests and session hijacking attempts to detect potential exploitation."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the autobrr qui web interface for managing qBittorrent instances. Versions 1.14.1 and earlier are vulnerable; newer releases are not documented as affected.", "description_and_impact": "The vulnerability is a CORS misconfiguration in the qui web interface, where versions 1.14.1 and below reflect arbitrary origins and return Access\u2011Control\u2011Allow\u2011Credentials: true. This allows any external webpage to send authenticated requests to the application using a victim\u2019s session. An attacker can trick a logged\u2011in user into loading a malicious site, which then silently interacts with the interface, potentially extracting sensitive data such as API keys, account credentials, or executing commands through the built\u2011in External Programs manager. The weakness is identified as CWE\u2011942 (Improper Restriction of Operations within a Privilege Range).", "risk_and_exploitability": "The CVSS score is 9.0, indicating a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to be logged into the application via a non\u2011localhost hostname and to visit an attacker\u2011controlled webpage, making highly targeted social\u2011engineering attacks the most likely real\u2011world scenario. The potential impact includes theft of sensitive data and full system compromise through the External Programs manager."}}}}, "created": "2026-03-20T08:56:09.025767+00:00", "updated": "2026-03-20T11:06:18.912974+00:00", "vendors": ["autobrr", "autobrr$PRODUCT$qui"]}