CVE Catalog

CVE-2026-57957

MediumCVSS 4.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in Papermark up to version 0.22.0 is caused by a CORS misconfiguration, allowing unauthenticated remote attackers to perform credentialed cross-origin requests. Attackers exploit the TUS-based viewer upload endpoint that reflects arbitrary request Origins with Access-Control-Allow-Credentials set to true.

Risk Assessment

The risk involves potential data theft and unauthorized file uploads into victim datarooms. An attacker can lure an authenticated user to a malicious page that silently issues credentialed cross-origin requests, compromising data confidentiality and integrity.

Recommendation

Immediately update Papermark to a version newer than 0.22.0 that includes a CORS configuration fix. As a temporary mitigation, configure the server to not reflect arbitrary Origins and disable Access-Control-Allow-Credentials for sensitive endpoints.

Original NVD description (English source)

Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS