Vulnerability Description
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment variable placeholders (**VAR_NAME**), enabling exfiltration of server-side secrets. This vulnerability is fixed in 2.36.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Magicmirror | Magicmirror | < 2.36.0 |
Related Weaknesses (CWE)
References
- https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvqExploitVendor Advisory
- https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-ph6f-2cvqExploitVendor Advisory
FAQ
What is CVE-2026-42281?
CVE-2026-42281 is a vulnerability with a CVSS score of 8.6 (HIGH). MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any remote attacker to f...
How severe is CVE-2026-42281?
CVE-2026-42281 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42281?
Check the references section above for vendor advisories and patch information. Affected products include: Magicmirror Magicmirror.