CVE-2026-9566: Cross Site Scripting in teableio teable
A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipulation of the argument redirect leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Upgrading to version release.2026-04-21T08-57-20Z.1513 will fix this issue. The affected component should be upgraded. The vendor confirms: "The default branch of teableio/teable is develop, and the reported login redirect issue has already been fixed there. The login redirect flow now validates the redirect parameter with isValidRedirectPath() before navigation, which blocks javascript:, data:, and cross-origin redirects."
AI Analysis
Technical Summary
This vulnerability affects the teableio teable product up to version 1.9.x in the LoginPage.tsx file within the Sign-up component. The redirect argument is not properly validated, enabling cross-site scripting attacks via crafted redirect URLs. The vendor fixed the issue by implementing validation with isValidRedirectPath(), which blocks javascript:, data:, and cross-origin redirects. The fix is included in the version released on 2026-04-21T08:57:20Z.1513 and in the develop branch.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary scripts in the context of the vulnerable application by manipulating the redirect parameter. This can lead to theft of user credentials, session hijacking, or other malicious actions within the user's browser session. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, user interaction needed, and limited impact on integrity and availability.
Mitigation Recommendations
Upgrade the affected teableio teable component to the version released on 2026-04-21T08:57:20Z.1513 or later, which includes the fix validating redirect parameters with isValidRedirectPath(). This validation prevents unsafe redirects and blocks javascript:, data:, and cross-origin URLs. No other mitigation is required as the vendor confirms the issue is fixed in the default development branch and the specified release.
CVE-2026-9566: Cross Site Scripting in teableio teable
Description
A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipulation of the argument redirect leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Upgrading to version release.2026-04-21T08-57-20Z.1513 will fix this issue. The affected component should be upgraded. The vendor confirms: "The default branch of teableio/teable is develop, and the reported login redirect issue has already been fixed there. The login redirect flow now validates the redirect parameter with isValidRedirectPath() before navigation, which blocks javascript:, data:, and cross-origin redirects."
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the teableio teable product up to version 1.9.x in the LoginPage.tsx file within the Sign-up component. The redirect argument is not properly validated, enabling cross-site scripting attacks via crafted redirect URLs. The vendor fixed the issue by implementing validation with isValidRedirectPath(), which blocks javascript:, data:, and cross-origin redirects. The fix is included in the version released on 2026-04-21T08:57:20Z.1513 and in the develop branch.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary scripts in the context of the vulnerable application by manipulating the redirect parameter. This can lead to theft of user credentials, session hijacking, or other malicious actions within the user's browser session. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, user interaction needed, and limited impact on integrity and availability.
Mitigation Recommendations
Upgrade the affected teableio teable component to the version released on 2026-04-21T08:57:20Z.1513 or later, which includes the fix validating redirect parameters with isValidRedirectPath(). This validation prevents unsafe redirects and blocks javascript:, data:, and cross-origin URLs. No other mitigation is required as the vendor confirms the issue is fixed in the default development branch and the specified release.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-26T10:48:11.353Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15e03f891d628fdc67da19
Added to database: 5/26/2026, 6:02:39 PM
Last enriched: 5/26/2026, 6:18:06 PM
Last updated: 5/26/2026, 7:56:52 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.