CVE-2026-30924

Name of the Vulnerable Software and Affected Versions qui versions 1.14.1 and below

Description qui, a web interface for managing qBittorrent instances, has a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true. This allows any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which can silently interact with the application using the victim's session. This could lead to the exfiltration of sensitive data such as API keys and account credentials, or even full system compromise through the built-in External Programs manager. Exploitation requires the victim to access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely scenario. The application connects to and authenticates with several outside websites and related services, potentially exposing credentials saved by the application. Successful exploitation may lead to a compromise of the host or container, depending on the installation type, in the user-context of the application.

Recommendations Update to a newer version of qui that addresses this issue.