Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-x7qq-m748-8p2c: Probo has an open redirect bypass via path normalization

0
Medium
Published: 06/30/2026 (06/30/2026, 18:31:50 UTC)
Source: GCVE Database
Product: go.probo.inc/probo

Description

Probo's saferedirect package contains an open redirect vulnerability due to improper path normalization. The validator only checked the second character of relative paths, allowing crafted URLs with backslashes to bypass validation. This leads to redirection to external domains, enabling phishing attacks. The issue is fixed in probod v0.194.1 and later. SaaS deployments on getprobo.com are already patched. No practical workaround exists for self-hosted versions prior to the fix.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Affected software

Goghsa
go.probo.inc/probo
Affected versions
<0.204.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:48:20 UTC

Technical Analysis

The vulnerability in Probo's saferedirect package arises because the redirect URL validator only inspects the second character of relative paths, allowing URLs like '/../\evil.com' to pass validation. Go's http.Redirect normalizes such paths by converting backslashes to slashes, which browsers may interpret as host separators, resulting in redirection to external domains. This bypasses same-origin restrictions and enables open redirect phishing attacks. The fix involves normalizing paths with path.Clean, rejecting backslashes (including percent-encoded ones), and revalidating the normalized path. The vulnerability affects versions before 0.204.0 and is patched in probod v0.194.1 and later. SaaS deployments are already patched.

Potential Impact

An attacker can craft malicious redirect URLs that appear to originate from trusted Probo domains but redirect users to external, potentially malicious sites. This can facilitate phishing attacks by exploiting the open redirect vulnerability. The vulnerability does not impact confidentiality or availability but can lead to user deception and potential credential theft or other social engineering outcomes.

Mitigation Recommendations

Self-hosted Probo deployments should upgrade to probod version 0.194.1 or later to address this vulnerability. SaaS deployments on getprobo.com have already been patched by the vendor. There are no practical workarounds for self-hosted installations prior to the patch. Users should apply the official fix to ensure proper path normalization and validation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-x7qq-m748-8p2c
Osv Schema Version
1.4.0
Aliases
["CVE-2026-49820"]
Ecosystems
["Go"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a4452e227e9c797198e11b3

Added to database: 06/30/2026, 23:36:02 UTC

Last enriched: 06/30/2026, 23:48:20 UTC

Last updated: 06/30/2026, 23:48:20 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses