Description
A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Execution after redirect
Action: Upgrade
AI Analysis

Impact

A flaw in go2ismail’s Free‑CRM administrative interface permits an attacker to alter the redirect logic after a user submits a form or logs in. By manipulating the redirect parameter, the attacker can force the application to send the authenticated user to a malicious domain. The vulnerability is triggered remotely, and while it does not grant arbitrary code execution, it can be used to facilitate phishing, credential forwarding, or other social‑engineering attacks that depend on redirecting logged‑in users to attacker‑controlled sites. The weakness is classified under CWE‑698 and CWE‑705.

Affected Systems

The target product is go2ismail Free‑CRM. The flaw exists in all releases up to commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Because the project uses a rolling release model, version numbers are not publicly tracked, so administrators should treat all current deployments as potentially vulnerable until a newer release is found that removes the redirect manipulation logic.

Risk and Exploitability

With a CVSS v3 score of 5.3, the vulnerability scores as medium severity. The EPSS score is less than 1 %, suggesting that widespread exploitation is unlikely. The vulnerability is not present in CISA’s KEV catalog. Attackers can exploit it remotely against the administrative interface without sophisticated prerequisites, provided they can reach the login or form submission endpoint. The lack of an official patch and the vendor’s unresponsive stance elevate the risk if the weakness is leveraged in a targeted campaign, but the overall threat remains moderate without an available exploit chain.

Generated by OpenCVE AI on April 18, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a release that removes the redirect manipulation logic once it becomes available; contact the vendor to confirm the fix.
  • Restrict allowed redirect destinations by configuring the web server or application to accept redirects only to a curated whitelist of internal URLs, rejecting all others.
  • Add server‑side validation that ensures redirect parameters are absolute URLs pointing to approved domains or relative paths, rejecting any that are malformed or point to external hosts.

Generated by OpenCVE AI on April 18, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:go2ismail:free-crm:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Go2ismail
Go2ismail free-crm
Vendors & Products Go2ismail
Go2ismail free-crm

Thu, 26 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title go2ismail Free-CRM Administrative redirect
Weaknesses CWE-698
CWE-705
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Go2ismail Free-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T20:02:33.352Z

Reserved: 2026-02-26T14:43:12.955Z

Link: CVE-2026-3264

cve-icon Vulnrichment

Updated: 2026-02-27T20:02:20.726Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:37.910

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses