CVE-2026-30924
CWE-942Published: March 19, 2026· Updated: Mar 20, 2026
Official Description
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
Risk Analysis
This critical vulnerability in qui, a web interface for qBittorrent, stems from a permissive CORS policy that allows external webpages to make authenticated requests on behalf of a logged-in user. An attacker could exfiltrate sensitive data or achieve system compromise if a victim accesses the application via a non-localhost hostname and loads a malicious webpage. The CVSS score of 9.0 indicates a high severity.
No public exploit is currently known for this vulnerability. Exploitation requires user interaction (UI:P) by tricking a victim into loading a malicious webpage.
Upgrade qui to a version beyond 1.14.1. Users should be cautious about visiting untrusted websites while logged into qui, especially if accessing it via a non-localhost hostname.
Technical Analysis
CVE-2026-30924 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (P) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-942)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-30924 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts