Same-Origin Policy Bypass in Lightpanda Browser
CVE-2026-52842

9.3CRITICAL

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-52842?

A vulnerability in the Lightpanda Browser prior to version 0.3.1 allowed attackers to exploit the way the browser computes page origins. By improperly interpreting URLs, the browser treated potentially malicious URL segments as trusted origins, leading to a Complete Same-Origin Policy bypass. This flaw permitted an attacker at attacker.com to interact with resources intended for victim.com, posing significant security risks to users leveraging the browser for AI and automation tasks. The issue has been resolved in version 0.3.1, reinforcing the browser's safety for users.

Affected Version(s)

browser < 0.3.1

References

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.