Description
GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.
Published: 2026-03-27
Score: 1.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unsanitized URLs in support emails
Action: Upgrade
AI Analysis

Impact

GlobaLeaks’ /api/support endpoint accepts support requests before version 5.0.89 with only minimal validation. As a result, attackers can embed arbitrary URLs into the support email that is sent to administrators, enabling phishing or credential‑stealing attacks. This flaw is an input‑validation weakness, identified as CWE-20, and may compromise the confidentiality or integrity of administrator accounts.

Affected Systems

The vulnerability affects all installations of Globaleaks whistleblowing software before version 5.0.89. Any user running an earlier release is vulnerable when using the open /api/support API endpoint, as the product sends support emails containing the unsanitized URLs to system administrators.

Risk and Exploitability

The CVSS score of 1.2 denotes low severity, and the EPSS score of less than 1% indicates a very low probability of exploitation. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would most likely require the ability to submit a crafted support request to the vulnerable API, which may be limited to users who have access to the API endpoint. Based on the description, it is inferred that the attack requires ability to submit a support request through the /api/support endpoint. Since the flaw is based on unsanitized user input, the prerequisites are minimal, but the overall risk to most deployments remains low.

Generated by OpenCVE AI on April 10, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Globaleaks to version 5.0.89 or later.

Generated by OpenCVE AI on April 10, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Globaleaks globaleaks
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:globaleaks:globaleaks:*:*:*:*:*:*:*:*
Vendors & Products Globaleaks globaleaks
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Globaleaks
Globaleaks globaleaks-whistleblowing-software
Vendors & Products Globaleaks
Globaleaks globaleaks-whistleblowing-software

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.
Title GlobalLeaks has insufficient URL validation in user support API
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Globaleaks Globaleaks Globaleaks-whistleblowing-software
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:33:52.223Z

Reserved: 2026-03-18T18:55:47.425Z

Link: CVE-2026-33284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:54.643

Modified: 2026-04-10T14:53:45.587

Link: CVE-2026-33284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:15Z

Weaknesses