PatchSiren cyber security CVE debrief
CVE-2026-11477 hs-web CVE debrief
A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used.
- Vendor
- hs-web
- Product
- hsweb-framework
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of hs-web hsweb-framework up to 5.0.1
Technical summary
The vulnerability is an open redirect issue in the OAuth2Client function of hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java. The CVSS score is 2.1, indicating a low severity.
Defensive priority
Low
Recommended defensive actions
- Apply the patch c2882679a9125cea52678151af5ae213cbd52579 to resolve this issue.
Evidence notes
The vulnerability was detected in hs-web hsweb-framework up to 5.0.1. The CVE was published on 2026-06-08T02:16:23.903Z and modified on 2026-06-08T14:57:14.757Z.
Official resources
Publicly disclosed