Description
An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL.
Published: 2026-04-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Update or Mitigate
AI Analysis

Impact

The vulnerability is an open redirect in the "/api/google/authorize" endpoint of hunvreus DevPush v0.3.2. An attacker can craft a URL that causes the endpoint to redirect a user to an arbitrary domain, facilitating phishing, malware delivery or other attacks. This weakness is classified as CWE‑601 and exposes users to malicious redirection but does not directly leak data or execute code.

Affected Systems

Affected systems are installations of hunvreus DevPush running version 0.3.2. The issue arises when the endpoint processes the redirect parameter without validating the target domain.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting that current exploitation activity may be limited. Because the redirection can be triggered by a visible URL, the likely attack vector is an attacker supplying a crafted link to users, needing user interaction to exploit. The risk to confidentiality or integrity is low; the primary impact is user redirection to malicious sites.

Generated by OpenCVE AI on April 28, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DevPush to a patched version that corrects the redirect validation. If no patch is available, wait for an official release that addresses the flaw.
  • Restrict access to the "/api/google/authorize" endpoint so that only trusted administrators or services can invoke it, minimizing the opportunity for exploitation.
  • Implement server‑side filtering of the redirect URL to allow only whitelisted domains, eliminating the possibility of unintended redirection.

Generated by OpenCVE AI on April 28, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Open Redirect in DevPush v0.3.2 Allows Malicious Site Redirection

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hunvreus
Hunvreus devpush
Vendors & Products Hunvreus
Hunvreus devpush

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title Open Redirect in DevPush v0.3.2 Allows Malicious Site Redirection

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 27 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL.
References

Subscriptions

Hunvreus Devpush
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T17:51:00.999Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30346

cve-icon Vulnrichment

Updated: 2026-04-27T17:49:12.350Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T17:16:42.827

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-30346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses