Skip to main content

CVE-2026-33209

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 https://github.com/avo-hq/avo GHSA-762r-27w2-q22j
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
CVE Published
Mar 18, 2026 - 17:26 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Description

A reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface.

An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button.

Impact

This vulnerability may allow execution of arbitrary JavaScript in the context of the application.

Impact varies depending on deployment:

  • In unauthenticated setups: exploitable via crafted links sent to users
  • In authenticated setups: limited to authenticated users and requires interaction

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter of the Avo Ruby gem (pkg:rubygems/avo), allowing attackers to inject arbitrary JavaScript that executes when users click dynamically generated navigation buttons. The vulnerability affects both authenticated and unauthenticated deployments, with unauthenticated setups being directly exploitable via crafted links. The CWE-79 classification confirms this as a classic reflected XSS issue without a published CVSS score or EPSS metric currently available.

Technical ContextAI

The vulnerability resides in the Avo Ruby on Rails admin interface gem (CPE: pkg:rubygems/avo), specifically in the handling of the return_to query parameter used for post-action navigation. The affected code likely fails to properly sanitize or encode user-supplied input before reflecting it into dynamically generated HTML elements or JavaScript contexts within navigation buttons. This is a classic instance of CWE-79 (Improper Neutralization of Input During Web Page Generation), where untrusted input is rendered without adequate output encoding, allowing attacker-controlled payloads to be interpreted as executable code in the victim's browser. The flaw is in the presentation layer rather than the core authorization mechanism, making it a high-surface-area risk in administrative interfaces.

RemediationAI

Immediately consult the official Avo security advisory (https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j) to identify the patched version and upgrade the Avo gem to the latest secure release. In Gemfile, update the gem dependency and run bundle update avo, then redeploy the application. Until patching is feasible, implement input validation and output encoding at the application level by ensuring the return_to parameter is validated against a whitelist of allowed internal URLs (using Ruby's URL parsing library) before rendering it in navigation buttons. Additionally, enforce HTTP Content-Security-Policy headers with script-src restrictions to limit the impact of any injected scripts, and consider restricting admin panel access via IP allowlisting or VPN requirements to reduce the attack surface for unauthenticated exploitation scenarios.

Share

CVE-2026-33209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy