Unknown · Terriajs-Server · CVE-2026-27818
**Name of the Vulnerable Software and Affected Versions**
TerriaJS-Server versions prior to 4.0.3
**Description**
A validation flaw permits an attacker to proxy domains not explicitly listed in the `proxyableDomains` configuration. The validation process only verifies if a hostname ends with an allowed domain, which allows malicious domains to be proxied through the server. For example, if `example.com` is in `proxyableDomains`, `maliciousexample.com` could also be proxied. This bypasses proxy restrictions.
**Recommendations**
Upgrade to version 4.0.3 to resolve the issue.