CORS Misconfiguration in Papermark Plugin by AstoKr
CVE-2026-57957

2.3LOW

Key Information:

Vendor

Papermark

Status
Papermark
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57957?

The Papermark version 0.22.0 is impacted by a critical CORS misconfiguration vulnerability. This flaw allows unauthenticated remote attackers to execute credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint. The misconfiguration reflects arbitrary request Origins with Access-Control-Allow-Credentials enabled, enabling attackers to lure authenticated users to malicious pages. This can lead to unauthorized file uploads in victim datarooms and access to sensitive credentialed responses.

Affected Version(s)

papermark 0 <= 0.22.0

References

https://github.com/papermark/papermark/issues/2178
technical-description
https://github.com/AstoKr/papermark/pull/1
issue-tracking
https://www.vulncheck.com/advisories/papermark-cors-misco...
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.