CVE-2026-6493

| EUVD-2026-23436 MEDIUM
2026-04-17 VulDB GHSA-cv47-g53v-q848
XSS
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Apr 17, 2026 - 15:22 NVD
LOW MEDIUM
CVSS Changed
Apr 17, 2026 - 15:22 NVD
3.5 (LOW) 5.1 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 15:00 vuln.today

DescriptionNVD

A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure.

AnalysisAI

Cross-site scripting (XSS) in lukevella Rallly up to version 4.7.4 allows authenticated users to inject malicious scripts via the redirectTo parameter in the reset password form, affecting the stored XSS vector with user interaction required. The vulnerability has public exploit code available and is mitigated by upgrading to version 4.8.0 or later. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6493 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy