Description

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.

INFO

Published Date :

2026-03-20T22:39:19.422Z

Last Modified :

2026-03-24T18:07:25.007Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33209 vulnerability.

Vendors Products
Avo Hq
  • Avo
Avohq
  • Avo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33209.

URL Resource
https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d cve-icon cve-icon
https://github.com/avo-hq/avo/pull/4330 cve-icon cve-icon
https://github.com/avo-hq/avo/releases/tag/v3.30.3 cve-icon cve-icon
https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact