CVE-2026-12811

Summary

A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the file apps/frontend/src/app/auth/page.tsx of the component Auth Endpoint. Executing a manipulation of the argument returnURL can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 0.8.39 can resolve this issue. This patch is called f5dec7aa0c1b8fa0125938f292c0f2430ca75f6c. It is advisable to upgrade the affected component. The researcher explains: "The issue was fixed in v0.8.39 without notifying the wider user base via a security disclosure."

Affected Software

VendorProductVersion RangeStatus
kortix-aisuna0.8.0affected
kortix-aisuna0.8.1affected
kortix-aisuna0.8.2affected
kortix-aisuna0.8.3affected
kortix-aisuna0.8.4affected
kortix-aisuna0.8.5affected
kortix-aisuna0.8.6affected
kortix-aisuna0.8.7affected
kortix-aisuna0.8.8affected
kortix-aisuna0.8.9affected
kortix-aisuna0.8.10affected
kortix-aisuna0.8.11affected
kortix-aisuna0.8.12affected
kortix-aisuna0.8.13affected
kortix-aisuna0.8.14affected
kortix-aisuna0.8.15affected
kortix-aisuna0.8.16affected
kortix-aisuna0.8.17affected
kortix-aisuna0.8.18affected
kortix-aisuna0.8.19affected
kortix-aisuna0.8.20affected
kortix-aisuna0.8.21affected
kortix-aisuna0.8.22affected
kortix-aisuna0.8.23affected
kortix-aisuna0.8.24affected
kortix-aisuna0.8.25affected
kortix-aisuna0.8.26affected
kortix-aisuna0.8.27affected
kortix-aisuna0.8.28affected
kortix-aisuna0.8.29affected
kortix-aisuna0.8.30affected
kortix-aisuna0.8.31affected
kortix-aisuna0.8.32affected
kortix-aisuna0.8.33affected
kortix-aisuna0.8.34affected
kortix-aisuna0.8.35affected
kortix-aisuna0.8.36affected
kortix-aisuna0.8.37affected
kortix-aisuna0.8.38affected
kortix-aisuna0.8.39unaffected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References