Improper input validation in Globaleaks Globaleaks-whistleblowing-software

CVE-2026-33284

GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in sup…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (31.1th percentile) — read the EPSS interpretation.

Affected products

Globaleaks Globaleaks-whistleblowing-software — versions < 5.0.89

Weakness classification (CWE)

CWE-20 — Improper Input Validation

References

https://github.com/globaleaks/globaleaks-whistleblowing-software/security/advisories/GHSA-84wr-q36q-wqhv (x_refsource_CONFIRM)