CVE-2026-37737

Name of the Vulnerable Software and Affected Versions sanic-cors versions prior to 2.2.1

Description An improper regular expression is used in the try match() function within sanic cors/core.py. The function utilizes re.match without end-anchoring, which allows an attacker to bypass Cross-Origin Resource Sharing (CORS) origin allowlists. By registering a domain that begins with a trusted origin string, an unauthorized actor can gain access to cross-origin requests for authenticated resources.

Recommendations Update sanic-cors to version 2.2.1 or later.