CVE-2026-11477 - Vulnerability Details

- hs-web hsweb-framework OAuth2 Client OAuth2Client.java OAuth2Client redirect

Description

A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.

Published: 2026-06-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the OAuth2Client component of the hsweb-framework allows a remote attacker to supply a malicious redirect URI, causing the application to forward users to arbitrary external sites. This open redirect vulnerability can be exploited for phishing attacks, credential harvesting, or malicious content delivery, potentially compromising user trust and confidentiality. The impact is limited to redirect flows but can be leveraged as a vector for broader social engineering attacks.

Affected Systems

The vulnerability affects hsweb-framework versions up to and including 5.0.1. Users running any of these releases should verify the installed version and determine whether an upgrade to the patched release is available.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as moderate severity. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The attack can be performed remotely by crafting a malicious redirect parameter in the OAuth2 flow; public exploitation code has been identified, making the threat real and actionable. The risk is therefore moderate but present, especially in environments where the application trusts users' redirect URLs without strict validation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hs-web

hsweb-framework

affected

Version	Status	Constraints
`5.0.0`	affected	—
`5.0.1`	affected	—

No data.

Vendor Product Confidence Versions

Hs-web

Hsweb-framework

95%

Version	Status	Scheme	Platform
`5.0.0`	affected	semver	—
`5.0.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update that hsweb-framework instance to a version that includes commit c2882679a9125cea52678151af5ae213cbd52579 or later, which removes the open redirect capability.
If an immediate upgrade is not possible, disable or block the OAuth2 redirect endpoint so that users cannot submit arbitrary redirect URIs.
Implement server‑side validation of redirect URLs so that only whitelisted, trusted domains are accepted, following best practices for CWE‑601 mitigation.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/hs-web/hsweb-framework/
https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579
https://github.com/hs-web/hsweb-framework/issues/354
https://github.com/hs-web/hsweb-framework/pull/355
https://vuldb.com/cve/CVE-2026-11477
https://vuldb.com/submit/833962
https://vuldb.com/vuln/369097
https://vuldb.com/vuln/369097/cti

History

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.
Title		hs-web hsweb-framework OAuth2 Client OAuth2Client.java OAuth2Client redirect
First Time appeared		Hs-web Hs-web hsweb-framework
Weaknesses		CWE-601
CPEs		cpe:2.3:a:hs-web:hsweb-framework::::::::
Vendors & Products		Hs-web Hs-web hsweb-framework
References		https://github.com/hs-web/hsweb-framework/ https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579 https://github.com/hs-web/hsweb-framework/issues/354 https://github.com/hs-web/hsweb-framework/pull/355 https://vuldb.com/cve/CVE-2026-11477 https://vuldb.com/submit/833962 https://vuldb.com/vuln/369097 https://vuldb.com/vuln/369097/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Hs-web Hsweb-framework

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T01:45:11.512Z

Updated: 2026-06-08T13:42:42.500Z

Reserved: 2026-06-07T09:40:18.483Z

Link: CVE-2026-11477

Vulnrichment

Updated: 2026-06-08T13:42:38.384Z

NVD

Status : Deferred

Published: 2026-06-08T02:16:23.903

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11477

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T03:30:16Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object