CVE-2026-33209
MEDIUM
GHSA-762r-27w2-q22j
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
## Description A reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. ## Impact This vulnerability may allow execution of arbitrary JavaScript in the context of the application. Impact varies depending on deployment: - In unauthenticated setups: exploitable via crafted links sent to users - In authenticated setups: limited to authenticated users and requires interaction
Analysis
A reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter of the Avo Ruby gem (pkg:rubygems/avo), allowing attackers to inject arbitrary JavaScript that executes when users click dynamically generated navigation buttons. The vulnerability affects both authenticated and unauthenticated deployments, with unauthenticated setups being directly exploitable via crafted links. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today