CVE-2026-9519
Description
A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM XSS in Pingvin Share <=1.13.0 sign-in redirect via unsanitized `redirect` parameter allows remote attackers to execute arbitrary JavaScript.
Vulnerability
A DOM Cross-Site Scripting (XSS) vulnerability exists in Pingvin Share up to version 1.13.0. The bug resides in the getServerSideProps function of the file frontend/src/pages/auth/signIn.tsx, which processes the redirect query parameter from the browser URL. The component SignIn then uses router.replace(redirectPath) in a useEffect hook without sanitizing the value, allowing protocols like javascript: to be passed to window.location [1]. No special configuration is required; the code path is reachable on any deployed instance where users can access the sign-in page.
Exploitation
An attacker can remotely exploit this vulnerability without authentication by crafting a malicious URL such as https://HOST/auth/signIn?redirect=javascript:alert(1). The attack requires tricking a user into clicking the crafted link. If the user is already authenticated (or has a valid session), the redirect executes in the context of their browser. A proof-of-concept has been publicly released [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the authenticated user's session. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The attack is limited to the browser context of the victim, but the attacker does not need any prior access or privileges [1].
Mitigation
The vendor, stonith404, was contacted but did not respond [1]. As of Pingvin Share 1.13.0 and earlier, no official patch or fix has been released. A workaround is to restrict the redirect parameter to only allow relative paths or an allowlist of safe URLs, or to upgrade to a version beyond 1.13.0 if one becomes available. The site is not listed in CISA KEV as of this report. Users should validate or sanitize the redirect input on the server side before handing it to the client.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.13.0+ 1 more
- (no CPE)range: <=1.13.0
- (no CPE)range: <=1.13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application passes an unsanitized URL query parameter (`redirect`) directly into `router.replace()`, allowing the `javascript:` protocol to execute arbitrary JavaScript in the browser."
Attack vector
An attacker crafts a malicious URL such as `https://HOST/auth/signIn?redirect=javascript:alert(1)` and tricks an authenticated victim into clicking it [ref_id=1]. The victim must be already logged in; the payload does not execute for unauthenticated users because a `safeRedirectPath` sanitization function is applied in that case [ref_id=1]. When the victim opens the link, the `getServerSideProps` function extracts the `redirect` parameter from the URL and passes it as `redirectPath` to the `SignIn` component, which then calls `router.replace(redirectPath)`, triggering the XSS [ref_id=1]. The attack is performed remotely over the network with no privileges required, though user interaction (clicking the link) is needed [ref_id=1].
Affected code
The vulnerable code is in `frontend/src/pages/auth/signIn.tsx` [ref_id=1]. The `getServerSideProps` function reads `context.query.redirect` and passes it as `redirectPath` to the `SignIn` component [ref_id=1]. The `SignIn` component then calls `router.replace(redirectPath ?? "/upload")` without sanitizing the value, allowing `javascript:` protocol URIs to execute [ref_id=1].
What the fix does
No patch has been published by the vendor; the report notes the vendor did not respond [ref_id=1]. The remediation recommended by the researcher is to apply the `safeRedirectPath` sanitization function on the `redirectPath` variable before passing it to `router.replace()` [ref_id=1]. This would block dangerous protocols such as `javascript:` and prevent the DOM XSS.
Preconditions
- authThe victim must be already logged into Pingvin Share; the payload does not execute for unauthenticated users.
- inputThe attacker must craft a URL with a `redirect` parameter containing a `javascript:` protocol payload.
- networkThe victim must be able to reach the Pingvin Share host over the network.
Reproduction
1. Ensure you are logged into a Pingvin Share instance. 2. Craft a URL: `https://HOST/auth/signIn?redirect=javascript:alert(document.cookie)`. 3. Open the crafted URL in a browser where the user is already authenticated. 4. Observe that the JavaScript executes (e.g., an alert box showing cookies) [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.