Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack is network-delivered via application input (AV:N); AC:H reflects non-default prerequisite of user-controlled `from`; scope changes to Microsoft Graph API (S:C).
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.
In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or
in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected.
This issue affects swoosh from 1.12.0 before 1.26.3.
AnalysisAI
{from}/sendMail path segment, rewriting both path and query string of the outbound request. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 1.26.3.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires both of the following conditions simultaneously: (1) the application uses Swoosh's Microsoft Graph adapter (Swoosh.Adapters.MsGraph) specifically - no other adapter is vulnerable; and (2) the `from` address value passed to the adapter is derived from untrusted or user-influenced input, such as a contact form sender field, an email relay that accepts arbitrary from addresses, or a 'send as' feature that allows users to specify the sender. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.0 score is 2.1 (Very Low), reflecting AT:P (specific attack prerequisite required) and VI:L/SC:L/SI:L (limited integrity impacts across vulnerable and subsequent systems). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a contact form on a web application using Swoosh's MsGraph adapter, entering a crafted sender address such as victim@domain.com/../../me/messages?%24select=subject as the from value. Swoosh interpolates this directly into the Graph API URL without encoding, rewriting the request from the intended /users/victim@domain.com/sendMail path to a different Graph endpoint, and the authenticated POST is dispatched with the application's bearer token to the attacker-chosen resource. … |
| Remediation | Upgrade Swoosh to version 1.26.3 or later; the fix is delivered via commit e38235453e81d1727bfc8d91e69ec4cb211ccf61 (https://github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61) and the vendor security advisory is at https://github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41876