Is CVE-2026-46608 exploitable?

No community verdicts yet for CVE-2026-46608. Be the first to weigh in.

Is CVE-2026-46608 a false positive?

No community verdicts yet for CVE-2026-46608.

How do I remediate CVE-2026-46608?

See the authoritative references (NVD, vendor advisory) and community field notes on this page for remediation guidance.

CVE-2026-46608

is CVE-2026-46608real, exploitable, or a false positive? Here's the community verdict.

☆ Watch

signals

public sources

Exploited in wild

Not listed

CISA KEV

Base severity

7.4 High

CVSS

Exploitation prob.

0.4%

FIRST EPSS

Weakness

CWE-183

CWE

High CVSS base score, but low real-world exploitation probability (EPSS). Likely less urgent than the score implies.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.

References

NVD MITRE CVE.org

Published Jun 25, 2026

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-46608/badge.svg)](https://www.truepositive.app/cve/CVE-2026-46608)

HTML

<a href="https://www.truepositive.app/cve/CVE-2026-46608"><img src="https://www.truepositive.app/cve/CVE-2026-46608/badge.svg" alt="TruePositive verdict for CVE-2026-46608"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

Be the first practitioner to weigh in

So far this is only TruePositive's editorial baseline from public sources. Add your real-world verdict below — it becomes the signal the next person triaging this relies on.

🥇 The first 50 practitioners to contribute earn a Founding Contributor badge.

In your experience, is this finding real and exploitable?

0 verdicts

Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

Add a field note or remediationoptional

Same weakness: CWE-183.

CVE-2026-50189HIGH 7.2EPSS 0%
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddler.addProgramToGroup. This vulnerability is fixed in 2.1.

CVE-2026-46608

Community ground truth

Field notes & remediation

Related CVEs