Papermark through version 0.22.0 suffers from a cross‑origin resource sharing misconfiguration on its TUS‑based viewer upload endpoint. The server echoes the Origin header supplied in a request and returns Access‑Control‑Allow‑Credentials set to true, allowing an unauthenticated attacker to cause a logged‑in user to make a credentialed cross‑origin request. The victim’s browser automatically includes the user’s authentication cookies, enabling the attacker to upload arbitrary files to the victim’s dataroom and read the credentialed response from the server. This flaw is a classic CORS misconfiguration (CWE‑942) and represents a pathway for credential‑authenticated data theft and manipulation.

Open‑source Papermark platform version 0.22.0, and any earlier releases leading up to that point, are vulnerable. The issue is associated with the Papermark project on GitHub and is reflected in the common platform enumeration string provided. No other vendor or product variants are listed in the advisory.

The CVSS score of 2.3 indicates a low overall severity, and EPSS data is not available while the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the flaw requires an active, authenticated user and relies on social engineering to lure the victim to a malicious page that silently triggers credentialed requests. The attacker can therefore achieve unauthorized file upload and read access to protected resources once the victim is tricked, but no public exploit scripts are reported. The risk is moderated by the need for an engaged victim but remains significant for organizations that value data confidentiality and integrity.