Vulnerability  ·  2026-07-17

Lightpanda Headless Browser — Origin Confusion via Malformed URL Authority Parsing

VulnerabilityMedium impactGlobalCVE-2026-52842
A URL-parsing bug in Lightpanda's origin computation let attacker-crafted URLs impersonate a trusted origin for same-origin policy purposes.
Lightpanda is explicitly designed as a browsing tool for AI agents; an origin-confusion bug lets malicious pages trick an AI browser-use agent into treating attacker content as trusted, undermining any origin-based security control the agent relies on.
Lightpanda searched for '@' across the entire URL string rather than only the authority component when computing page origin, so a URL like http://attacker.com/@victim.com/ is fetched from attacker.com but treated as if it belonged to victim.com's origin, breaking same-origin security boundaries.
Lightpanda prior to 0.3.1
Upgrade to Lightpanda 0.3.1 or later.
NVD CVE-2026-52842
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →