VulnerableCode Vulnerability Details - VCID-894w-kccs-u7et

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-894w-kccs-u7et

Essentials
Severities (11)
References (10)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-894w-kccs-u7et
Aliases	CVE-2016-10549 GHSA-qmv4-jgp7-mf68
Summary	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided. At that point authenticated cross domain requests are possible.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-284	Improper Access Control

System	Score	Found at
generic_textual	HIGH	http://sailsjs.org/documentation/concepts/security/cors
generic_textual	HIGH	http://sailsjs.org/documentation/reference/configuration/sails-config-cors
epss	0.00254	https://api.first.org/data/v1/epss?cve=CVE-2016-10549
epss	0.00254	https://api.first.org/data/v1/epss?cve=CVE-2016-10549
epss	0.00254	https://api.first.org/data/v1/epss?cve=CVE-2016-10549
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-qmv4-jgp7-mf68
generic_textual	HIGH	https://github.com/balderdashy/sails
generic_textual	HIGH	https://github.com/balderdashy/sails/commit/0057123a0321be6758845abbeb4290bf418ce542
generic_textual	HIGH	https://github.com/balderdashy/sails/releases/tag/v0.12.7
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2016-10549
generic_textual	HIGH	https://www.npmjs.com/advisories/148

Reference id	Reference type	URL
		http://sailsjs.org/documentation/concepts/security/cors
		http://sailsjs.org/documentation/reference/configuration/sails-config-cors
		https://api.first.org/data/v1/epss?cve=CVE-2016-10549
		https://github.com/balderdashy/sails
		https://github.com/balderdashy/sails/commit/0057123a0321be6758845abbeb4290bf418ce542
		https://github.com/balderdashy/sails/releases/tag/v0.12.7
		https://nodesecurity.io/advisories/148
		https://www.npmjs.com/advisories/148
CVE-2016-10549		https://nvd.nist.gov/vuln/detail/CVE-2016-10549
GHSA-qmv4-jgp7-mf68		https://github.com/advisories/GHSA-qmv4-jgp7-mf68

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.48941
EPSS Score	0.00254
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:38:54.575958+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sails/CVE-2016-10549.yml	38.6.0