CVE-2026-9519
Deferred Deferred - Pending Action
Stored XSS in Pingvin Share Auth Redirect

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9519
EUVD
EUVD-2026-31778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stonith404 pingvin_share to 1.13.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute arbitrary JavaScript code in the victim's browser after login, potentially leading to session hijacking, credential theft, or unauthorized actions.

Such security flaws can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access to personal or sensitive data, violating data protection and privacy requirements.

Failure to address this vulnerability could result in breaches of confidentiality and integrity of user data, which are critical compliance aspects under these regulations.

Executive Summary

This vulnerability is a DOM-based Cross-Site Scripting (XSS) issue found in the sign-in auto-redirect functionality of Pingvin Share. It occurs because the application improperly trusts and uses a URL parameter named "redirect" without sanitization. An attacker can craft a malicious link with a JavaScript payload in this redirect parameter. When a victim, who is already authenticated, clicks this link and logs in, the malicious script executes in their browser.

The root cause is that the application does not sanitize the redirect parameter before performing a client-side redirect, allowing execution of JavaScript via the "javascript:" protocol.

Impact Analysis

Exploitation of this vulnerability can lead to serious security impacts such as session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user.

Since the attack requires the victim to be authenticated, it targets logged-in users and can compromise their accounts by executing arbitrary code in their browsers.

Detection Guidance

This vulnerability can be detected by monitoring for usage of the "redirect" URL parameter in the sign-in process of Pingvin Share, specifically in the sign-in auto-redirect functionality. Look for URLs containing the "redirect" parameter with suspicious or JavaScript payloads such as those starting with "javascript:".

You can use web server logs or proxy logs to search for requests containing the redirect parameter with potentially malicious content.

  • Example command to search web server logs for suspicious redirect parameters (Linux):
  • grep -i 'redirect=javascript:' /var/log/nginx/access.log
  • Or to find any redirect parameters in logs:
  • grep -i 'redirect=' /var/log/nginx/access.log

Additionally, manual testing can be performed by attempting to access the sign-in page with a crafted URL containing a JavaScript payload in the redirect parameter to see if the payload executes after login.

Mitigation Strategies

Immediate mitigation steps include sanitizing the "redirect" parameter before it is used in the client-side redirect to prevent execution of JavaScript payloads.

If you have access to the source code, apply a safe redirect function that validates and restricts the redirect parameter to only allow safe URLs or relative paths.

Until a patch is available, consider implementing web application firewall (WAF) rules to block requests containing suspicious redirect parameters, especially those starting with "javascript:".

Also, educate users to be cautious about clicking on suspicious links containing redirect parameters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart