Description
A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure.
Published: 2026-04-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting via the reset password flow
Action: Apply Patch
AI Analysis

Impact

An attacker can inject malicious scripts into the redirectTo parameter of the reset password handler in the Rallly application, allowing remote XSS. The flaw originates from unvalidated input that is reflected in client‑side code, representing a typical CWE‑79 reflected XSS weakness, and also correlates with CWE‑94 dynamic code injection due to the misuse of the redirect parameter. An attacker who successfully delivers a crafted reset link could execute arbitrary JavaScript in the victim’s browser; based on the description, it is inferred that this might lead to disclosing session cookies, login credentials or performing actions on behalf of the user. This type of vulnerability is moderate in severity per the CVSS score of 5.1 and could be exploited by any remote actor who can entice users to click a malicious URL.

Affected Systems

The vulnerability affects the Rallly application by lukevella, specifically versions up to and including 4.7.4. The repository and progress timeline are available on GitHub, and a fix was released in version 4.8.0. Users running any earlier version should consult the changelog and upgrade to at least 4.8.0 to eliminate the flaw.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate impact; the EPSS score of <1% (approximately 0.00034) indicates a low but non-zero likelihood of exploitation, but the presence of publicly available exploit code and the ability to mount the attack remotely heightens the risk. The flaw is not yet listed in the CISA KEV catalog, yet the presence of an exploit suggests a realistic threat. An attacker can initiate the attack by sending a link that contains a malicious redirectTo value to a target user, who then executes the payload when the reset password page renders. No special privileges or local access are required, making this a straightforward vector for social engineering or phishing campaigns.

Generated by OpenCVE AI on April 18, 2026 at 20:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rallly to version 4.8.0 or newer
  • Validate and URL‑encode the redirectTo parameter on both client and server to prevent untrusted data from being reflected as script
  • Implement a Content Security Policy that disallows inline script and restricts script sources to trusted origins, thereby mitigating any remaining XSS risk

Generated by OpenCVE AI on April 18, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Lukevella
Lukevella rallly
Vendors & Products Lukevella
Lukevella rallly

Fri, 17 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure.
Title lukevella rallly Reset Password reset-password-form.tsx cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lukevella Rallly
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T14:58:49.011Z

Reserved: 2026-04-17T07:29:56.484Z

Link: CVE-2026-6493

cve-icon Vulnrichment

Updated: 2026-04-17T14:51:57.535Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T15:16:52.313

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses