XSS in Avo-hq Avo
CVE-2026-33209
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a mali…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (2.2th percentile) — read the EPSS interpretation.
Affected products
- Avo-hq Avo — versions < 3.30.3
Weakness classification (CWE)
References
- https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j (x_refsource_CONFIRM)
- https://github.com/avo-hq/avo/pull/4330 (x_refsource_MISC)
- https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d (x_refsource_MISC)
- https://github.com/avo-hq/avo/releases/tag/v3.30.3 (x_refsource_MISC)