Description
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting (CWE‑79) flaw in the return_to query parameter of the Avo administration interface. An attacker can craft a malicious URL containing JavaScript that is executed when a user clicks a navigation button, potentially hijacking sessions, injecting malicious scripts, or delivering further attacks.

Affected Systems

Avo (avo‑hq) is a Ruby on Rails administrative framework used to create panels. Any deployment of Avo prior to version 3.30.3 that processes the return_to parameter is affected. The issue was addressed in release 3.30.3 on the avo‑hq GitHub repository.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of current exploitation. Avo is not listed in CISA’s KEV catalog. Exploitation requires a victim to click a navigation link after visiting a crafted URL, making it dependent on social engineering and user privilege. If successfully exploited, the attacker can run arbitrary client‑side code and access sensitive information.

Generated by OpenCVE AI on March 23, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply version 3.30.3 or later of Avo to eliminate the reflected XSS vulnerability.
  • If an upgrade is not immediately possible, restrict access to the Avo interface to trusted administrators and disable the return_to functionality.
  • Monitor incoming URLs for suspicious return_to parameters containing script tags or JavaScript payloads.
  • Ensure content‑security‑policy headers are configured to limit the execution of injected scripts.

Generated by OpenCVE AI on March 23, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-762r-27w2-q22j Avo has a XSS vulnerability on `return_to` param
History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Avohq
Avohq avo
CPEs cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*
Vendors & Products Avohq
Avohq avo
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Avo Hq
Avo Hq avo
Vendors & Products Avo Hq
Avo Hq avo

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.
Title Avo has a XSS vulnerability on `return_to` param
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Avo Hq Avo
Avohq Avo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:07:25.007Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33209

cve-icon Vulnrichment

Updated: 2026-03-24T18:07:14.601Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:45.843

Modified: 2026-03-23T18:55:37.947

Link: CVE-2026-33209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:13Z

Weaknesses