CVE-2026-33506

{"id": "CVE-2026-33506", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T19:17:05.680", "references": [{"url": "https://github.com/ory/polis/releases/tag/v26.2.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-87"}, {"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue."}, {"lang": "es", "value": "Ory Polis, anteriormente conocido como BoxyHQ Jackson, act\u00faa como puente o proxy para un flujo de inicio de sesi\u00f3n SAML a OAuth 2.0 o OpenID Connect. Las versiones anteriores a la 26.2.0 contienen una vulnerabilidad de cross-site scripting (XSS) basada en DOM en la funcionalidad de inicio de sesi\u00f3n de Ory Polis. La aplicaci\u00f3n conf\u00eda indebidamente en un par\u00e1metro de URL ('callbackUrl'), el cual se pasa a `router.push`. Un atacante puede crear un enlace malicioso que, al ser abierto por un usuario autenticado (o un usuario no autenticado que luego inicia sesi\u00f3n), realiza una redirecci\u00f3n del lado del cliente y ejecuta JavaScript arbitrario en el contexto de su navegador. Esto podr\u00eda conducir a robo de credenciales, pivoteo de red interno y acciones no autorizadas realizadas en nombre de la v\u00edctima. La versi\u00f3n 26.2.0 contiene un parche para el problema."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}