CVE-2026-6662 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-6662

CVE-2026-6662

Published:April 20, 2026

Updated:May 18, 2026

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Related Resources (4)

https://vuldb.com/vuln/358300/cti

https://vuldb.com/submit/794601

https://github.com/August829/CVEP/issues/31

https://vuldb.com/vuln/358300

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

POC

CVSS v3

Base Score:

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Exploit Maturity

PROOF-OF-CONCEPT

Weakness Type (CWE)

Origin Validation Error

CWE-346

Permissive Cross-domain Security Policy with Untrusted Domains

CWE-942

EPSS

Base Score:

0.02