HIGH
cinnyapp
CVE published 2026-05-27
CVE-2026-42553
## Summary A remote authenticated attacker with room emote creation permissions can steal Matrix access tokens from Cinny client users. The attack requires the victim to open the emoji/sticker picker in a room containing a malicious emote pack. The vulnerability stems from two flaws: (1) improper validation of `pack.meta.avatar` URLs in `EmojiBoard`, allowing arbitrary HTTP(S) URLs instead of restricted M [truncated]