{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.312Z", "datePublished": "2026-03-20T22:39:19.422Z", "dateUpdated": "2026-03-24T18:07:25.007Z"}, "containers": {"cna": {"title": "Avo has a XSS vulnerability on `return_to` param", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j"}, {"name": "https://github.com/avo-hq/avo/pull/4330", "tags": ["x_refsource_MISC"], "url": "https://github.com/avo-hq/avo/pull/4330"}, {"name": "https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d", "tags": ["x_refsource_MISC"], "url": "https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d"}, {"name": "https://github.com/avo-hq/avo/releases/tag/v3.30.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/avo-hq/avo/releases/tag/v3.30.3"}], "affected": [{"vendor": "avo-hq", "product": "avo", "versions": [{"version": "< 3.30.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:39:19.422Z"}, "descriptions": [{"lang": "en", "value": "Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3."}], "source": {"advisory": "GHSA-762r-27w2-q22j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:06:50.463947Z", "id": "CVE-2026-33209", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:07:25.007Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:06:50.463947Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:07:14.601Z"}}], "cna": {"title": "Avo has a XSS vulnerability on `return_to` param", "source": {"advisory": "GHSA-762r-27w2-q22j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "avo-hq", "product": "avo", "versions": [{"status": "affected", "version": "< 3.30.3"}]}], "references": [{"url": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j", "name": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/avo-hq/avo/pull/4330", "name": "https://github.com/avo-hq/avo/pull/4330", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d", "name": "https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/avo-hq/avo/releases/tag/v3.30.3", "name": "https://github.com/avo-hq/avo/releases/tag/v3.30.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:39:19.422Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33209", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:07:25.007Z", "dateReserved": "2026-03-17T23:23:58.312Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:39:19.422Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "4A86C431-F184-4E7E-B28F-2248E58FDB0B", "versionEndExcluding": "3.30.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3."}], "id": "CVE-2026-33209", "lastModified": "2026-03-23T18:55:37.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:45.843", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/avo-hq/avo/pull/4330"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/avo-hq/avo/releases/tag/v3.30.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.30.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "avo", "source": "cna", "vendor": "avo-hq"}, "product": "avo", "vendor": "avo_hq"}], "analysis": {"en": {"generated_at": "2026-03-23T21:07:34.789851+00:00", "value": {"mitigation_remediation": ["Apply version\u202f3.30.3 or later of Avo to eliminate the reflected XSS vulnerability.", "If an upgrade is not immediately possible, restrict access to the Avo interface to trusted administrators and disable the return_to functionality.", "Monitor incoming URLs for suspicious return_to parameters containing script tags or JavaScript payloads.", "Ensure content\u2011security\u2011policy headers are configured to limit the execution of injected scripts."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Avo (avo\u2011hq) is a Ruby on Rails administrative framework used to create panels. Any deployment of Avo prior to version\u202f3.30.3 that processes the return_to parameter is affected. The issue was addressed in release\u202f3.30.3 on the avo\u2011hq GitHub repository.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting (CWE\u201179) flaw in the return_to query parameter of the Avo administration interface. An attacker can craft a malicious URL containing JavaScript that is executed when a user clicks a navigation button, potentially hijacking sessions, injecting malicious scripts, or delivering further attacks.", "risk_and_exploitability": "The CVSS v3.1 score of 5.3 indicates moderate severity, and the EPSS score of less than 1\u202f% suggests a low likelihood of current exploitation. Avo is not listed in CISA\u2019s KEV catalog. Exploitation requires a victim to click a navigation link after visiting a crafted URL, making it dependent on social engineering and user privilege. If successfully exploited, the attacker can run arbitrary client\u2011side code and access sensitive information."}}}}, "created": "2026-03-23T09:52:21.512434+00:00", "updated": "2026-03-25T14:34:13.796323+00:00", "vendors": ["avo_hq", "avo_hq$PRODUCT$avo"]}