CVE-2026-9519 stonith404 CVE debrief

Who should care

Organizations self-hosting Pingvin Share instances for internal or external file sharing; security teams monitoring open-source application vulnerabilities; developers implementing authentication flows with redirect parameters

Technical summary

The vulnerability is a reflected XSS in the sign-in auto-redirect functionality of Pingvin Share, an open-source file sharing platform. The `getServerSideProps` Next.js function in `frontend/src/pages/auth/signIn.tsx` reflects the `redirect` query parameter into the page without proper output encoding or validation. This allows injection of arbitrary JavaScript that executes in the context of the victim's session. The attack is delivered via a crafted URL and requires the victim to visit the malicious link. The CVSS 4.0 score of 2.1 (LOW) reflects the user interaction requirement and limited integrity impact, though session hijacking or credential theft remains possible depending on application context.

Defensive priority

P3

Recommended defensive actions

• Review and sanitize all user-supplied redirect parameters in authentication flows using allowlist-based validation
• Implement Content Security Policy (CSP) headers to mitigate impact of XSS vulnerabilities
• Upgrade to Pingvin Share version 1.13.1 or later when available, or apply vendor-provided patches
• Monitor authentication endpoints for anomalous redirect parameter patterns in web application logs
• Consider implementing additional redirect validation that ensures destinations match expected application domains

Evidence notes

Vulnerability confirmed via Vuldb entry and associated Gist reference. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction required. CWE-79 (XSS) and CWE-94 (Code Injection) classifications applied by CNA.

Official resources