Skip to main content

Allegra CVE-2026-11443

| EUVDEUVD-2026-36634 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-12 zdi GHSA-m8wq-7mhg-mgm7
4.6
CVSS 3.0 · Vendor: zdi
Share

Severity by source

Vendor (zdi) PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
4.6 MEDIUM

Network-accessible XSS requires low-privilege attacker authentication (PR:L) and active victim interaction (UI:R); impact is session-scoped with no availability consequence.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (zdi).

CVSS VectorVendor: zdi

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 23:51 vuln.today

DescriptionCVE.org

Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236.

AnalysisAI

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: the downloadAttachment server-side method fails to sanitize or encode attacker-controlled data before reflecting or rendering it in the HTTP response consumed by a victim's browser. This allows injection of HTML/JavaScript payloads. The affected product is Allegra, a project management platform developed by Alltena, identified by CPE cpe:2.3:a:allegra:allegra:*:*:*:*:*:*:*:*, indicating all versions up to the patched 9.0.0 release are in scope. Stored or reflected XSS via file attachment handling is a common attack surface in collaboration tools where user-supplied filenames, MIME types, or inline content are rendered without adequate output encoding.

RemediationAI

Upgrade Allegra to version 9.0.0 or later, as documented in the Alltena release notes at https://alltena.com/en/resources/release-notes/release-notes-for-release-9-0-0/. This is the vendor-confirmed fix. If immediate upgrade is not feasible, restrict the downloadAttachment endpoint via network-layer controls (WAF rules targeting script injection patterns in attachment parameters) and enforce strict Content-Security-Policy headers to limit script execution origins - note that CSP is a defense-in-depth measure and not a substitute for patching, as bypasses exist. Additionally, limit low-privilege external account creation and implement user-awareness controls around opening unexpected attachments from other users within the platform. The ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-358/ may contain additional compensating guidance.

Share

CVE-2026-11443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy