{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30924", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.884Z", "datePublished": "2026-03-19T20:45:43.039Z", "dateUpdated": "2026-03-20T19:46:41.711Z"}, "containers": {"cna": {"title": "qui CORS Misconfiguration: Arbitrary Origins Trusted", "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch"}, {"name": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f", "tags": ["x_refsource_MISC"], "url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f"}], "affected": [{"vendor": "autobrr", "product": "qui", "versions": [{"version": "<= 1.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:45:43.039Z"}, "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}], "source": {"advisory": "GHSA-h8vw-ph9r-xpch", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T19:46:07.320056Z", "id": "CVE-2026-30924", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:46:41.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T19:46:07.320056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:46:29.038Z"}}], "cna": {"title": "qui CORS Misconfiguration: Arbitrary Origins Trusted", "source": {"advisory": "GHSA-h8vw-ph9r-xpch", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "autobrr", "product": "qui", "versions": [{"status": "affected", "version": "<= 1.14.1"}]}], "references": [{"url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch", "name": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f", "name": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:45:43.039Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30924", "state": "PUBLISHED", "dateUpdated": "2026-03-20T19:46:41.711Z", "dateReserved": "2026-03-07T16:40:05.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T20:45:43.039Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getqui:qui:*:*:*:*:*:docker:*:*", "matchCriteriaId": "D24F98B6-7767-40D1-B443-B638E9852327", "versionEndExcluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication."}, {"lang": "es", "value": "qui es una interfaz web para gestionar instancias de qBittorrent. Las versiones 1.14.1 e inferiores utilizan una pol\u00edtica CORS permisiva que refleja or\u00edgenes arbitrarios y tambi\u00e9n devuelve Access-Control-Allow-Credentials: true, permitiendo efectivamente que cualquier p\u00e1gina web externa realice solicitudes autenticadas en nombre de un usuario con sesi\u00f3n iniciada. Un atacante puede explotar esto enga\u00f1ando a una v\u00edctima para que cargue una p\u00e1gina web maliciosa, la cual interact\u00faa silenciosamente con la aplicaci\u00f3n utilizando la sesi\u00f3n de la v\u00edctima y potencialmente exfiltrando datos sensibles como claves API y credenciales de cuenta, o incluso logrando un compromiso total del sistema a trav\u00e9s del gestor de Programas Externos incorporado. La explotaci\u00f3n requiere que la v\u00edctima acceda a la aplicaci\u00f3n a trav\u00e9s de un nombre de host que no sea localhost y cargue una p\u00e1gina web controlada por el atacante, lo que convierte los ataques de ingenier\u00eda social altamente dirigidos en el escenario m\u00e1s probable en el mundo real. Este problema no fue solucionado en el momento de la publicaci\u00f3n."}], "id": "CVE-2026-30924", "lastModified": "2026-04-14T17:48:44.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:09.943", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.14.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "qui", "source": "cna", "vendor": "autobrr"}, "product": "qui", "vendor": "autobrr"}], "analysis": {"en": {"generated_at": "2026-03-19T22:27:00.936849+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or upgrade to the latest version once a fix is released to correct the permissive CORS policy.", "If a patch is not yet available, restrict access to the qui interface so it is only reachable from trusted hosts or over a VPN, and configure the server to reject wildcard origins, thereby blocking external cross\u2011origin requests.", "Disable the External Programs manager in qBittorrent or strictly limit its privileges to reduce the risk of arbitrary code execution.", "Monitor application logs for unexpected cross\u2011origin requests and session hijacking attempts to detect potential exploitation."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the autobrr qui web interface for managing qBittorrent instances. Versions 1.14.1 and earlier are vulnerable; newer releases are not documented as affected.", "description_and_impact": "The vulnerability is a CORS misconfiguration in the qui web interface, where versions 1.14.1 and below reflect arbitrary origins and return Access\u2011Control\u2011Allow\u2011Credentials: true. This allows any external webpage to send authenticated requests to the application using a victim\u2019s session. An attacker can trick a logged\u2011in user into loading a malicious site, which then silently interacts with the interface, potentially extracting sensitive data such as API keys, account credentials, or executing commands through the built\u2011in External Programs manager. The weakness is identified as CWE\u2011942 (Improper Restriction of Operations within a Privilege Range).", "risk_and_exploitability": "The CVSS score is 9.0, indicating a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to be logged into the application via a non\u2011localhost hostname and to visit an attacker\u2011controlled webpage, making highly targeted social\u2011engineering attacks the most likely real\u2011world scenario. The potential impact includes theft of sensitive data and full system compromise through the External Programs manager."}}}}, "created": "2026-03-20T08:56:09.025767+00:00", "updated": "2026-03-20T11:06:18.912974+00:00", "vendors": ["autobrr", "autobrr$PRODUCT$qui"]}