LOW
kortix-ai
CVE published 2026-06-21
CVE-2026-12811
A weakness in kortix-ai suna up to 0.8.38 allows for cross-site scripting via the Auth Endpoint. The issue is caused by manipulation of the returnURL argument in the router.replace/router.push function. Upgrading to version 0.8.39 resolves this issue. This vulnerability has a low CVSS score of 2.1. Defenders should prioritize patching affected systems.