Skip to main content

Globaleaks Whistleblowing Software CVE-2026-33284

| EUVDEUVD-2026-16614 LOW
Improper Input Validation (CWE-20)
2026-03-27 GitHub_M
1.2
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.2 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.0.89
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2026-16614
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
CVE Published
Mar 27, 2026 - 13:58 nvd
LOW 1.2

DescriptionGitHub Advisory

GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.

AnalysisAI

GlobaLeaks whistleblowing platform versions prior to 5.0.89 contain insufficient input validation in the /api/support endpoint, permitting attackers to inject arbitrary URLs into support request emails sent to administrators. This can facilitate phishing attacks, credential harvesting, or social engineering by making malicious links appear to originate from legitimate support communications. Remote attackers without authentication can exploit this vulnerability to craft convincing fraudulent messages to site administrators.

Technical ContextAI

GlobaLeaks (cpe:2.3:a:globaleaks:globaleaks-whistleblowing-software:*:*:*:*:*:*:*:*) is a web-based whistleblowing platform that includes an /api/support endpoint for users to submit support requests. The vulnerability stems from CWE-20 (Improper Input Validation), where user-supplied data in support requests is not adequately sanitized or validated before being embedded into outbound emails. An attacker can inject malicious URLs or HTML content that renders in administrator email clients, bypassing normal email security controls. The root cause is the absence of URL whitelist validation, HTML entity encoding, or content-type restrictions on the support form payload.

RemediationAI

Upgrade GlobaLeaks to version 5.0.89 or later immediately to obtain the vendor-released patch. Organizations unable to upgrade immediately should implement network-level mitigations including: restricting access to the /api/support endpoint to trusted networks only, disabling or rate-limiting the support submission feature until patching is completed, and educating administrators not to click links in support request emails from unknown users. Monitor email logs for suspicious support notifications and consider deploying email filtering rules that flag or quarantine messages containing user-submitted content. Review the GitHub Security Advisory at https://github.com/globaleaks/globaleaks-whistleblowing-software/security/advisories/GHSA-84wr-q36q-wqhv for additional context and confirmation of patch availability.

Share

CVE-2026-33284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy