Description
A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the file apps/frontend/src/app/auth/page.tsx of the component Auth Endpoint. Executing a manipulation of the argument returnURL can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 0.8.39 can resolve this issue. This patch is called f5dec7aa0c1b8fa0125938f292c0f2430ca75f6c. It is advisable to upgrade the affected component. The researcher explains: "The issue was fixed in v0.8.39 without notifying the wider user base via a security disclosure."
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A numeric injection point exists in the Auth Endpoint of kortix‑ai Suna where the router.replace or router.push functions accept a returnURL parameter without proper sanitization, enabling an attacker to inject arbitrary script payloads. This flaw aligns with CWE‑79 (Cross‑Site Scripting) and CWE‑94 (Improper Control of Generation of Code) and can be used to deface pages, steal session cookies, or perform other client‑side attacks. The vulnerability is reachable remotely and the exploit code is publicly disclosed, giving attackers a ready‑to‑use means to compromise affected users.

Affected Systems

The flaw affects kortix‑ai Suna versions up to and including 0.8.38. The product is available in the open source repository at https://github.com/kortix‑ai/suna/. Users should update to version 0.8.39 (commit f5dec7aa) or newer to eliminate the flaw.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and no EPSS data is available, though the exploit is publicly accessible. The vulnerability is not listed in CISA KEV, but its remote nature and public exploit raise concern. Attackers can craft a malicious URL with a manipulated returnURL, trigger the redirect and deliver the payload entirely from client side.

Generated by OpenCVE AI on June 21, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade kortix‑ai Suna to version 0.8.39 or later; the patch removes the unsanitized returnURL handling.
  • If an upgrade cannot be applied immediately, validate the returnURL on the server side to ensure it is a trusted domain or path and reject any attempts to inject script or execute code.
  • Escape or encode any dynamic content derived from returnURL before rendering it in the browser to prevent script execution.

Generated by OpenCVE AI on June 21, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the file apps/frontend/src/app/auth/page.tsx of the component Auth Endpoint. Executing a manipulation of the argument returnURL can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 0.8.39 can resolve this issue. This patch is called f5dec7aa0c1b8fa0125938f292c0f2430ca75f6c. It is advisable to upgrade the affected component. The researcher explains: "The issue was fixed in v0.8.39 without notifying the wider user base via a security disclosure."
Title kortix-ai suna Auth Endpoint page.tsx router.push cross site scripting
First Time appeared Kortix-ai
Kortix-ai suna
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:kortix-ai:suna:*:*:*:*:*:*:*:*
Vendors & Products Kortix-ai
Kortix-ai suna
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kortix-ai Suna
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T22:00:10.903Z

Reserved: 2026-06-21T04:34:58.937Z

Link: CVE-2026-12811

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T23:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')