I can see your local web servers

Those untrusted programs are web pages! Here’s an example vulnerable app, using Express, a popular web framework:

To make things worse, many servers bind to , meaning the server is available from anywhere that can reach the machine. It is not sufficient security to hide behind a NAT (e.g. your WiFi router), because there are untrusted programs running on your network right now that have access to every machine – again, those untrusted programs are web pages!

Source: http.jameshfisher.com