MEDIUM
GHSA-762r-27w2-q22j
Avo has a XSS vulnerability on `return_to` param
Details
## Description
A reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter used in the avo interface.
An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button.
## Impact
This vulnerability may allow execution of arbitrary JavaScript in the context of the application.
Impact varies depending on deployment: - In unauthenticated setups: exploitable via crafted links sent to users - In authenticated setups: limited to authenticated users and requires interaction
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33209 [ADVISORY]
- https://github.com/avo-hq/avo/pull/4330 [WEB]
- https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d [WEB]
- https://github.com/avo-hq/avo [PACKAGE]
- https://github.com/avo-hq/avo/releases/tag/v3.30.3 [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2026-33209.yml [WEB]