{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30346", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-27T17:51:00.999Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T16:37:35.051Z"}, "descriptions": [{"lang": "en", "value": "An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hunvreus/devpush"}, {"url": "https://github.com/hunvreus/devpush/releases/tag/0.3.2"}, {"url": "https://gist.github.com/syphonetic/d4e519904aaa55dbd0e3b87a317660d1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-601", "lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T17:49:55.433129Z", "id": "CVE-2026-30346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:51:00.999Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T17:49:55.433129Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:49:12.350Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/hunvreus/devpush"}, {"url": "https://github.com/hunvreus/devpush/releases/tag/0.3.2"}, {"url": "https://gist.github.com/syphonetic/d4e519904aaa55dbd0e3b87a317660d1"}], "descriptions": [{"lang": "en", "value": "An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T16:37:35.051Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30346", "state": "PUBLISHED", "dateUpdated": "2026-04-27T17:51:00.999Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL."}], "id": "CVE-2026-30346", "lastModified": "2026-04-27T18:35:53.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-27T17:16:42.827", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/syphonetic/d4e519904aaa55dbd0e3b87a317660d1"}, {"source": "cve@mitre.org", "url": "https://github.com/hunvreus/devpush"}, {"source": "cve@mitre.org", "url": "https://github.com/hunvreus/devpush/releases/tag/0.3.2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.3.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "devpush", "vendor": "hunvreus"}], "analysis": {"en": {"generated_at": "2026-04-28T23:33:35.244402+00:00", "value": {"mitigation_remediation": ["Upgrade DevPush to a patched version that corrects the redirect validation. If no patch is available, wait for an official release that addresses the flaw.", "Restrict access to the \"/api/google/authorize\" endpoint so that only trusted administrators or services can invoke it, minimizing the opportunity for exploitation.", "Implement server\u2011side filtering of the redirect URL to allow only whitelisted domains, eliminating the possibility of unintended redirection."], "summary": {"action": "Update or Mitigate", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of hunvreus DevPush running version 0.3.2. The issue arises when the endpoint processes the redirect parameter without validating the target domain.", "description_and_impact": "The vulnerability is an open redirect in the \"/api/google/authorize\" endpoint of hunvreus DevPush v0.3.2. An attacker can craft a URL that causes the endpoint to redirect a user to an arbitrary domain, facilitating phishing, malware delivery or other attacks. This weakness is classified as CWE\u2011601 and exposes users to malicious redirection but does not directly leak data or execute code.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting that current exploitation activity may be limited. Because the redirection can be triggered by a visible URL, the likely attack vector is an attacker supplying a crafted link to users, needing user interaction to exploit. The risk to confidentiality or integrity is low; the primary impact is user redirection to malicious sites."}}}}, "created": "2026-04-28T05:15:22.931396+00:00", "updated": "2026-04-28T23:45:16.047827+00:00", "vendors": ["hunvreus", "hunvreus$PRODUCT$devpush"]}