Description
Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236.
Published: 2026-06-12
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Allegra’s downloadAttachment method causes a cross‑site scripting flaw through insufficient validation of user‑supplied data. When a victim visits a malicious page or opens a crafted attachment, the injected script runs in the browser as the logged‑in user. The script can access session cookies, submit data, or perform unauthorized actions within the user’s context.

Affected Systems

All installations of Allegra are potentially affected; the CVE entry does not specify impacted versions, so any deployment of the Allegra platform remains vulnerable until updated.

Risk and Exploitability

The base score of 4.6 indicates moderate severity. No EPSS or KEV information is available, implying that the vulnerability has not yet been widely exploited. Attackers must lure a user to a malicious link or file, so successful exploitation requires user interaction. Nonetheless, the ability to run code in a user’s session poses a non‑negligible threat, especially in environments where users have elevated privileges.

Generated by OpenCVE AI on June 13, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Allegra to the latest version that contains a fix for the downloadAttachment XSS flaw.
  • Implement strict input validation and proper escaping or sanitization for all data handled by downloadAttachment before rendering or transmitting it.
  • Deploy a restrictive Content Security Policy that limits the execution of scripts to approved origins and disables inline script execution.
  • Enable browser‑level XSS protection headers such as X‑XSS‑Protection or Content‑Security‑Policy to block or report injected scripts.

Generated by OpenCVE AI on June 13, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Allegra
Allegra allegra
Vendors & Products Allegra
Allegra allegra

Fri, 12 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236.
Title Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 4.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-15T17:26:14.655Z

Reserved: 2026-06-05T22:38:18.513Z

Link: CVE-2026-11443

cve-icon Vulnrichment

Updated: 2026-06-15T17:26:09.874Z

cve-icon NVD

Status : Deferred

Published: 2026-06-13T00:16:24.290

Modified: 2026-06-15T20:52:32.540

Link: CVE-2026-11443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:29:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')