CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53649

criticalCVSS 9.6covered by 1 sourcefirst seen 2026-07-08
Unauthenticated Cross-Origin Plugin Upload Leads to RCE (Joro ≤ v1.1.0) Severity: Critical CVSS v3.1: 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) Affected versions: Joro ≤ v1.1.0, proxy mode (default), Linux/macOS Reporter: cstover Date: 2026-05-27 Summary Joro's default proxy mode (in versions <= 1.1.0) exposes a local API on 127.0.0.1:9090 that performs no authentication and applies a wildcard CORS policy. Because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript on any page the operator visits can reach privileged endpoints - including uploading a native plugin and triggering a restart - directly through the operator's browser, with no preflight or credentials. Since plugins execute on load, this yields unauthenticated remote code execution as the operator's user from a single page visit. Root Cause Three weaknesses combined into the exploit chain. 1. No authentication in proxy mode. internal/api/server.go applied AuthMiddleware only when listenerMode was true. In the default proxy mode every API endpoint — including plugin upload and system restart — accepted requests without any token, cookie, or credential. 2. Permissive CORS with an insufficient protection assumption. corsMiddleware set Access-Control-Allow-Origin: * unconditionally on all responses. SECURITY.md documented this as an intentional tradeoff on the basis that proxy mode binds to 127.0.0.1, which the document states "limits exposure to the local machine." That assumption was incorrect. multipart/form-data is a CORS-safelisted Content-Type, so cross-origin JavaScript can POST files to the Joro API without triggering a preflight request — the browser allows it. Any web page the operator visited reached the localhost API through their browser without restriction. The localhost bind provided no protection against browser-mediated requests. 3. Plugin init() executed on plugin.Open() before symbol lookup. internal/plugins/loader.go called plugin.Open

⚡ Watch CVE-2026-53649

Get an email if CVE-2026-53649 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53649

CVE.org record

Embed the live status

CVE-2026-53649 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53649 status](https://www.csirts.com/badge/CVE-2026-53649)](https://www.csirts.com/cve/CVE-2026-53649)