https://www.secdev.uk/blog/tags/cwe-346/ Recent content in CWE-346 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 14 Feb 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-02-14-cors-misconfiguration/ Sat, 14 Feb 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-02-14-cors-misconfiguration/ <p>CORS misconfiguration is one of those vulnerabilities that keeps coming up because most developers don&rsquo;t fully understand what CORS actually does. It&rsquo;s the browser mechanism that controls which websites can make requests to your API. When it&rsquo;s configured correctly, it prevents malicious sites from stealing data through a victim&rsquo;s browser. When it&rsquo;s misconfigured, and this happens constantly based on public bug bounty reports, it effectively disables the Same-Origin Policy, letting any website read authenticated responses from your API. What makes CORS misconfigurations particularly interesting to study is that they&rsquo;re invisible to users, silent in server logs, and trivial to exploit.</p>