← volver
CVE-2026-33284

GlobalLeaks has insufficient URL validation in user support API

CVSS 1.2 LOWEPSS 0.2%CWE-20
Vexday Risk Score
8Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 1.2EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
27 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U