{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6493", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-17T07:29:56.484Z", "datePublished": "2026-04-17T14:15:15.422Z", "dateUpdated": "2026-04-20T14:58:49.011Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-17T14:15:15.422Z"}, "title": "lukevella rallly Reset Password reset-password-form.tsx cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "lukevella", "product": "rallly", "versions": [{"version": "4.7.0", "status": "affected"}, {"version": "4.7.1", "status": "affected"}, {"version": "4.7.2", "status": "affected"}, {"version": "4.7.3", "status": "affected"}, {"version": "4.7.4", "status": "affected"}, {"version": "4.8.0", "status": "unaffected"}], "modules": ["Reset Password Handler"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-17T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-17T09:35:30.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "trebledj (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358037", "name": "VDB-358037 | lukevella rallly Reset Password reset-password-form.tsx cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358037/cti", "name": "VDB-358037 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787347", "name": "Submit #787347 | lukevella rallly 4.7.5 DOM-Based XSS, Open Redirect", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c", "tags": ["exploit"]}, {"url": "https://github.com/lukevella/rallly/pull/2245", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/lukevella/rallly/releases/tag/v4.8.0", "tags": ["patch"]}, {"url": "https://github.com/lukevella/rallly/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T14:51:54.178799Z", "id": "CVE-2026-6493", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:58:49.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6493", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T14:51:54.178799Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T14:51:57.535Z"}}], "cna": {"title": "lukevella rallly Reset Password reset-password-form.tsx cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "trebledj (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "lukevella", "modules": ["Reset Password Handler"], "product": "rallly", "versions": [{"status": "affected", "version": "4.7.0"}, {"status": "affected", "version": "4.7.1"}, {"status": "affected", "version": "4.7.2"}, {"status": "affected", "version": "4.7.3"}, {"status": "affected", "version": "4.7.4"}, {"status": "unaffected", "version": "4.8.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-17T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-17T09:35:30.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358037", "name": "VDB-358037 | lukevella rallly Reset Password reset-password-form.tsx cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358037/cti", "name": "VDB-358037 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787347", "name": "Submit #787347 | lukevella rallly 4.7.5 DOM-Based XSS, Open Redirect", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c", "tags": ["exploit"]}, {"url": "https://github.com/lukevella/rallly/pull/2245", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/lukevella/rallly/releases/tag/v4.8.0", "tags": ["patch"]}, {"url": "https://github.com/lukevella/rallly/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-17T14:15:15.422Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6493", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:58:49.011Z", "dateReserved": "2026-04-17T07:29:56.484Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-17T14:15:15.422Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure."}], "id": "CVE-2026-6493", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-17T15:16:52.313", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c"}, {"source": "cna@vuldb.com", "url": "https://github.com/lukevella/rallly/"}, {"source": "cna@vuldb.com", "url": "https://github.com/lukevella/rallly/pull/2245"}, {"source": "cna@vuldb.com", "url": "https://github.com/lukevella/rallly/releases/tag/v4.8.0"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/787347"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358037"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358037/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.7.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.7.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.7.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.7.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.7.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.8.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "rallly", "source": "cna", "vendor": "lukevella"}, "product": "rallly", "vendor": "lukevella"}], "analysis": {"en": {"generated_at": "2026-04-18T20:04:45.832727+00:00", "value": {"mitigation_remediation": ["Update Rallly to version 4.8.0 or newer", "Validate and URL\u2011encode the redirectTo parameter on both client and server to prevent untrusted data from being reflected as script", "Implement a Content Security Policy that disallows inline script and restricts script sources to trusted origins, thereby mitigating any remaining XSS risk"], "summary": {"action": "Apply Patch", "impact": "Remote Cross\u2011Site Scripting via the reset password flow"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Rallly application by lukevella, specifically versions up to and including 4.7.4. The repository and progress timeline are available on GitHub, and a fix was released in version 4.8.0. Users running any earlier version should consult the changelog and upgrade to at least 4.8.0 to eliminate the flaw.", "description_and_impact": "An attacker can inject malicious scripts into the redirectTo parameter of the reset password handler in the Rallly application, allowing remote XSS. The flaw originates from unvalidated input that is reflected in client\u2011side code, representing a typical CWE\u201179 reflected XSS weakness, and also correlates with CWE\u201194 dynamic code injection due to the misuse of the redirect parameter. An attacker who successfully delivers a crafted reset link could execute arbitrary JavaScript in the victim\u2019s browser; based on the description, it is inferred that this might lead to disclosing session cookies, login credentials or performing actions on behalf of the user. This type of vulnerability is moderate in severity per the CVSS score of 5.1 and could be exploited by any remote actor who can entice users to click a malicious URL.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate impact; the EPSS score of <1% (approximately 0.00034) indicates a low but non-zero likelihood of exploitation, but the presence of publicly available exploit code and the ability to mount the attack remotely heightens the risk. The flaw is not yet listed in the CISA KEV catalog, yet the presence of an exploit suggests a realistic threat. An attacker can initiate the attack by sending a link that contains a malicious redirectTo value to a target user, who then executes the payload when the reset password page renders. No special privileges or local access are required, making this a straightforward vector for social engineering or phishing campaigns."}}}}, "created": "2026-04-17T20:35:17.371002+00:00", "updated": "2026-04-18T20:15:09.539406+00:00", "vendors": ["lukevella", "lukevella$PRODUCT$rallly"]}