Vulnerabilities > CVE-2024-8026 - Unspecified vulnerability in Qanything

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

qanything

NVD

Published: 2025-03-20

Updated: 2025-03-26

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and managing knowledge bases.

Vulnerable Configurations

Part	Description	Count
Application	Qanything Qanything Qanything *	1

References

https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274
https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274