Description

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.

INFO

Published Date :

2026-03-19T20:45:43.039Z

Last Modified :

2026-03-20T19:46:41.711Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30924 vulnerability.

Vendors Products
Autobrr
  • Qui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30924.

URL Resource
https://github.com/autobrr/qui/commit/424f7a0de089dce881e8bbecd220163a78e0295f cve-icon cve-icon
https://github.com/autobrr/qui/security/advisories/GHSA-h8vw-ph9r-xpch cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability