CVE-2026-52842
Received Received - Intake

Same-Origin Policy Bypass in Lightpanda Headless Browser

Vulnerability report for CVE-2026-52842, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as `http://attacker.com/@victim.com/` was fetched from attacker.com but treated as `http://victim.com`, allowing a complete Same-Origin Policy bypass. This issue is fixed in version 0.3.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lightpanda browser to 0.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Lightpanda is a headless browser that had a flaw in its URL parser before version 0.3.1. The parser incorrectly searched for the '@' symbol across the entire URL instead of just the authority part. This caused URLs like http://attacker.com/@victim.com/ to be treated as originating from http://victim.com even though the page was fetched from attacker.com. This allowed a Same-Origin Policy bypass.

Impact Analysis

An attacker could exploit this to make a malicious page appear as if it comes from a trusted domain. This could allow the attacker to access sensitive data, perform actions on behalf of the user, or bypass security restrictions on the victim's site.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR and HIPAA requirements for data protection and confidentiality. Organizations using affected versions may face compliance breaches and legal consequences.

Detection Guidance

To detect this vulnerability, check if your Lightpanda browser version is below 0.3.1. Run: lightpanda --version. If the version is older, the system is vulnerable. Inspect network traffic for URLs with @ symbols in unexpected locations, such as http://attacker.com/@victim.com/, which may indicate exploitation attempts.

Mitigation Strategies

Upgrade Lightpanda browser to version 0.3.1 or later immediately. This fixes the URL parsing flaw. If upgrading is not possible, restrict access to untrusted URLs or disable Lightpanda until patched. Monitor for unusual cross-origin requests or Same-Origin Policy violations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart