CVE-2026-57957
MediumCVSS 4.7Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A vulnerability in Papermark up to version 0.22.0 is caused by a CORS misconfiguration, allowing unauthenticated remote attackers to perform credentialed cross-origin requests. Attackers exploit the TUS-based viewer upload endpoint that reflects arbitrary request Origins with Access-Control-Allow-Credentials set to true.
Risk Assessment
The risk involves potential data theft and unauthorized file uploads into victim datarooms. An attacker can lure an authenticated user to a malicious page that silently issues credentialed cross-origin requests, compromising data confidentiality and integrity.
Recommendation
Immediately update Papermark to a version newer than 0.22.0 that includes a CORS configuration fix. As a temporary mitigation, configure the server to not reflect arbitrary Origins and disable Access-Control-Allow-Credentials for sensitive endpoints.
Original NVD description (English source)
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.

