Is CVE-2026-57957 exploitable?

No community verdicts yet for CVE-2026-57957. Be the first to weigh in.

Is CVE-2026-57957 a false positive?

No community verdicts yet for CVE-2026-57957.

How do I remediate CVE-2026-57957?

See the authoritative references (NVD, vendor advisory) and community field notes on this page for remediation guidance.

CVE-2026-57957

is CVE-2026-57957real, exploitable, or a false positive? Here's the community verdict.

☆ Watch

signals

public sources

Exploited in wild

Not listed

CISA KEV

Base severity

4.7 Medium

CVSS

Exploitation prob.

n/a

FIRST EPSS

Weakness

CWE-942

CWE

Moderate signals. Triage by your actual exposure and reachability.

baseline read

auto · not a community verdict

Low signal — verdict needed

Few public signals point to active risk. Whether a scanner hit here is a true or false positive depends on your version and config — community verdicts decide.

Based on CVSS

Confirm or dispute →

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.

References

NVD MITRE CVE.org

Published Jun 29, 2026

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-57957/badge.svg)](https://www.truepositive.app/cve/CVE-2026-57957)

HTML

<a href="https://www.truepositive.app/cve/CVE-2026-57957"><img src="https://www.truepositive.app/cve/CVE-2026-57957/badge.svg" alt="TruePositive verdict for CVE-2026-57957"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

Be the first practitioner to weigh in

So far this is only TruePositive's editorial baseline from public sources. Add your real-world verdict below — it becomes the signal the next person triaging this relies on.

🥇 The first 50 practitioners to contribute earn a Founding Contributor badge.

In your experience, is this finding real and exploitable?

0 verdicts

Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

Add a field note or remediationoptional

Same weakness: CWE-942.

CVE-2026-56076HIGH 8.1Real · low riskEPSS 1%
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.

CVE-2026-57957

Community ground truth

Field notes & remediation

Related CVEs