CVE-2026-1997
CORS Misconfiguration in HP OfficeJet Pro Enables Data Exposure
Publication date: 2026-02-10
Last updated on: 2026-02-12
Assigner: HP Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hp | m9l65a_firmware | to 001.2602a (exc) |
| hp | d9l20a_firmware | to 001.2602b (exc) |
| hp | k7s32a_firmware | to 001.2602b (exc) |
| hp | d9l21a_firmware | to 001.2602b (exc) |
| hp | k7s42a_firmware | to 001.2602b (exc) |
| hp | t0g65a_firmware | to 001.2602b (exc) |
| hp | k7s39a_firmware | to 001.2602b (exc) |
| hp | j6x83a_firmware | to 001.2602b (exc) |
| hp | k7s43a_firmware | to 001.2602b (exc) |
| hp | k7s40a_firmware | to 001.2602b (exc) |
| hp | k7s41a_firmware | to 001.2602b (exc) |
| hp | t0g56a_firmware | to 001.2602b (exc) |
| hp | d9l63a_firmware | to 001.2602b (exc) |
| hp | d9l64a_firmware | to 001.2602b (exc) |
| hp | j3p65a_firmware | to 001.2602b (exc) |
| hp | j3p66a_firmware | to 001.2602b (exc) |
| hp | j3p67a_firmware | to 001.2602b (exc) |
| hp | j3p68a_firmware | to 001.2602b (exc) |
| hp | t0g70a_firmware | to 001.2602b (exc) |
| hp | g5j38a_firmware | to 001.2602a (exc) |
| hp | t1p99a_firmware | to 001.2602a (exc) |
| hp | l3t99a_firmware | to 001.2602a (exc) |
| hp | y0s19a_firmware | to 001.2602a (exc) |
| hp | g5j56a_firmware | to 001.2602a (exc) |
| hp | y0s18a_firmware | to 001.2602a (exc) |
| hp | d9l18a_firmware | to 001.2602a (exc) |
| hp | m9l66a_firmware | to 001.2602a (exc) |
| hp | m9l67a_firmware | to 001.2602a (exc) |
| hp | t0g46a_firmware | to 001.2602a (exc) |
| hp | j6x76a_firmware | to 001.2602a (exc) |
| hp | j6x78a_firmware | to 001.2602a (exc) |
| hp | j6x80a_firmware | to 001.2602a (exc) |
| hp | k7s37a_firmware | to 001.2602a (exc) |
| hp | m9l70a_firmware | to 001.2602a (exc) |
| hp | j6x77a_firmware | to 001.2602a (exc) |
| hp | j6x81a_firmware | to 001.2602a (exc) |
| hp | j6x79a_firmware | to 001.2602a (exc) |
| hp | k7s38a_firmware | to 001.2602a (exc) |
| hp | t0g47a_firmware | to 001.2602a (exc) |
| hp | t0g48a_firmware | to 001.2602a (exc) |
| hp | t0g49a_firmware | to 001.2602a (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves certain HP OfficeJet Pro printers that may expose information if Cross-Origin Resource Sharing (CORS) is misconfigured.
CORS is a security feature that controls how web resources are shared between different origins. In this case, if CORS is enabled improperly, unauthorized web origins could access device resources.
By default, CORS is disabled on these Pro-class devices and can only be enabled by an administrator through the Embedded Web Server (EWS). Keeping CORS disabled unless explicitly required helps ensure that only trusted solutions can interact with the device.
How can this vulnerability impact me? :
If CORS is misconfigured and enabled on the affected HP OfficeJet Pro printers, unauthorized web origins could potentially access sensitive device resources.
This could lead to exposure of information stored or processed by the printer, which might be exploited by attackers to gain unauthorized access or gather sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that Cross-Origin Resource Sharing (CORS) is disabled on your HP OfficeJet Pro printers unless explicitly required.
Since CORS is disabled by default and can only be enabled by an administrator through the Embedded Web Server (EWS), verify that no unauthorized changes have been made to enable CORS.
Keeping CORS disabled helps ensure that only trusted solutions can interact with the device and prevents unauthorized web origins from accessing device resources.