An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system.Referenceshttps://certvde.com/en/advisories/VDE-2025-018/
