Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
Description
Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the publify_core rubygem, publisher on a publify application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to not make it obvious to an administrator that this is a malicious link. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator. Version 10.0.1 of Publify and version 10.0.2 of the publify_core rubygem fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting (XSS) vulnerability in Publify's redirect functionality allows a publisher to escalate privileges to administrator by tricking an admin into clicking a crafted link.
Vulnerability
Overview
CVE-2024-39311 is a stored cross-site scripting (XSS) vulnerability in Publify, a self-hosted web publishing platform built on Ruby on Rails [1]. The flaw resides in the redirect functionality, where a user with publisher-level privileges can create a redirect entry pointing to a javascript: URI (e.g., javascript:alert()) [3]. Although the redirect itself does not execute, an administrative panel renders this URI as an anchor (``) link [3].
Exploitation
Requirements
To exploit this vulnerability, an administrator must click the malicious link presented in the admin interface [1][3]. The attacker can encode or obscure the payload using HTML entities or other encodings to make the link appear legitimate [3]. This attack does not require any special network position; it is entirely dependent on social engineering of an administrator [1].
Impact
If successfully triggered, the XSS payload runs in the context of the administrator's session [3]. This enables a publisher—who typically has fewer privileges—to escalate their access and gain full administrative control over the Publify instance [1][3].
Mitigation
The issue is fixed in Publify version 10.0.1 and in the publify_core rubygem version 10.0.2 [1][3]. Administrators should upgrade immediately to prevent privilege escalation attacks from untrusted publishers.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | < 10.0.2 | 10.0.2 |
Affected products
3- Range: <10.0.1
- publify/publifyv5Range: < 10.0.1
Patches
1c9c2ab199224Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-8fm5-gg2f-f66qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39311ghsaADVISORY
- github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.