Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated as http://victim.com, allowing a complete Same-Origin Policy bypass. This issue is fixed in version 0.3.1.
{
"cwe_ids": [
"CWE-346"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52842.json",
"cna_assigner": "GitHub_M"
}