CVE-2026-12811 kortix-ai CVE debrief

Who should care

Defenders responsible for kortix-ai suna deployments up to version 0.8.38 should prioritize patching. This vulnerability allows for remote cross-site scripting attacks, which could lead to unauthorized actions on the affected system. Although the CVSS score is low, defenders should still take action to limit exposure.

Technical summary

The vulnerability is located in the Auth Endpoint, specifically in the router.replace/router.push function of the file apps/frontend/src/app/auth/page.tsx. An attacker can manipulate the returnURL argument to inject malicious code, leading to cross-site scripting. The issue was fixed in version 0.8.39 with patch f5dec7aa0c1b8fa0125938f292c0f2430ca75f6c. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Low-priority patching recommended due to low CVSS score, but defenders should still take action to limit exposure.

Recommended defensive actions

• Upgrade kortix-ai suna to version 0.8.39 or later
• Review and monitor affected systems for potential attacks
• Implement compensating controls to limit exposure
• Verify patch application and system configuration
• Track exceptions and anomalies in system logs

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and the NVD detail page. The affected product is kortix-ai suna up to version 0.8.38. Defenders should verify the patch level and system configuration to ensure they are not vulnerable. The CVSS score and vector provide additional context for defenders to assess their exposure.

Official resources