Platform
javascript
Component
rallyl
Fixed in
4.7.1
4.7.2
4.7.3
4.7.4
4.8.0
CVE-2026-6493 describes a cross-site scripting (XSS) vulnerability discovered in rallyl versions 4.7.0 through 4.8.0. This flaw resides within the Reset Password Handler component, specifically affecting the 'redirectTo' argument. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. A fix is available in version 4.8.0.
An attacker can leverage this XSS vulnerability to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to the theft of sensitive information, such as session cookies, authentication tokens, and personally identifiable information (PII). The attacker could also redirect users to malicious websites, deface the application, or perform actions on behalf of the user without their knowledge. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems running vulnerable versions of rallyl.
The exploit for CVE-2026-6493 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability has been assessed as LOW severity according to CVSS. It was published on 2026-04-17. No KEV listing or active exploitation campaigns are currently known.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6493 is to upgrade rallyl to version 4.8.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'redirectTo' parameter to prevent malicious input from being processed. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'redirectTo' parameter and verifying that it is properly sanitized.
Update the rallly library to version 4.8.0 or higher to mitigate the Cross-Site Scripting (XSS) vulnerability in the Reset Password Handler component. This update corrects the manipulation of the 'redirectTo' argument, which allows for the execution of malicious code. Refer to the project documentation for detailed instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6493 is a cross-site scripting vulnerability in rallyl versions 4.7.0 through 4.8.0, allowing attackers to inject malicious scripts via the 'redirectTo' parameter.
If you are using rallyl versions 4.7.0 through 4.8.0, you are potentially affected by this vulnerability. Upgrade to 4.8.0 to mitigate the risk.
Upgrade rallyl to version 4.8.0 or later. Implement input validation and sanitization on the 'redirectTo' parameter as an interim measure.
While no active campaigns are currently known, the exploit is public, increasing the risk of exploitation.
Refer to the vendor's communication regarding this disclosure for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.