Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.
AnalysisAI
GlobaLeaks whistleblowing platform versions prior to 5.0.89 contain insufficient input validation in the /api/support endpoint, permitting attackers to inject arbitrary URLs into support request emails sent to administrators. This can facilitate phishing attacks, credential harvesting, or social engineering by making malicious links appear to originate from legitimate support communications. Remote attackers without authentication can exploit this vulnerability to craft convincing fraudulent messages to site administrators.
Technical ContextAI
GlobaLeaks (cpe:2.3:a:globaleaks:globaleaks-whistleblowing-software:*:*:*:*:*:*:*:*) is a web-based whistleblowing platform that includes an /api/support endpoint for users to submit support requests. The vulnerability stems from CWE-20 (Improper Input Validation), where user-supplied data in support requests is not adequately sanitized or validated before being embedded into outbound emails. An attacker can inject malicious URLs or HTML content that renders in administrator email clients, bypassing normal email security controls. The root cause is the absence of URL whitelist validation, HTML entity encoding, or content-type restrictions on the support form payload.
RemediationAI
Upgrade GlobaLeaks to version 5.0.89 or later immediately to obtain the vendor-released patch. Organizations unable to upgrade immediately should implement network-level mitigations including: restricting access to the /api/support endpoint to trusted networks only, disabling or rate-limiting the support submission feature until patching is completed, and educating administrators not to click links in support request emails from unknown users. Monitor email logs for suspicious support notifications and consider deploying email filtering rules that flag or quarantine messages containing user-submitted content. Review the GitHub Security Advisory at https://github.com/globaleaks/globaleaks-whistleblowing-software/security/advisories/GHSA-84wr-q36q-wqhv for additional context and confirmation of patch availability.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16614