lukevella rallly Reset Password reset-password-form.tsx cross site scripting_CVE-2026-6493

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure.

Basic Information

ID CVE-2026-6493

Source VulDB

Published Apr 17, 2026 at 14:15

Affected Product

Vendor lukevella

Product rallly

Version 4.7.0

Affected Versions lukevella rallly 4.7.0
lukevella rallly 4.7.1
lukevella rallly 4.7.2
lukevella rallly 4.7.3
lukevella rallly 4.7.4

CWE Classification

CWE-79 CWE-94

References

{
    "lastseen": "",
    "description": "A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure.",
    "published": "2026-04-17T14:15:15.422Z",
    "modified": "2026-04-17T14:15:15.422Z",
    "type": "cve",
    "title": "lukevella rallly Reset Password reset-password-form.tsx cross site scripting",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/358037\nhttps://vuldb.com/vuln/358037/cti\nhttps://vuldb.com/submit/787347\nhttps://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c\nhttps://github.com/lukevella/rallly/pull/2245\nhttps://github.com/lukevella/rallly/releases/tag/v4.8.0\nhttps://github.com/lukevella/rallly/",
    "id": "CVE-2026-6493",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "lukevella rallly 4.7.0\nlukevella rallly 4.7.1\nlukevella rallly 4.7.2\nlukevella rallly 4.7.3\nlukevella rallly 4.7.4",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rallly",
    "version": "4.7.0",
    "vendor": "lukevella",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}