CVE-2026-42281
MagicMirror²: Unauthenticated SSRF via /cors endpoint
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
| CWE | CWE-918 |
| Vendor | magicmirrororg |
| Product | magicmirror |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for magicmirrororg magicmirror
Be the first to know when new unknown vulnerabilities affecting magicmirrororg magicmirror are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
MagicMirrorOrg / MagicMirror
< 2.36.0