| Title | Kortix AI Suna < 0.8.39 DOM-XSS, Open Redirect |
|---|
| Description | A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Kortix AI Suna's /auth and /auth/password pages. The application improperly trusts a URL parameter (returnUrl), which is passed to router.replace and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to session hijacking, credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim.
---
Note to moderator: The issue was fixed in v0.8.39 without notifying the wider user base via a security disclosure. It is reasonable that users self-hosting the product are unaware of the vulnerability. I have attempted to reach out to the vendor regarding a GitHub security advisory, but they have not responded after a month.
- CVD: https://gist.github.com/TrebledJ/fe7241910ac0aaeff86243fc88e9ffed
- Release v0.8.39: https://github.com/kortix-ai/suna/releases/tag/v0.8.39
- Git Commit: https://github.com/kortix-ai/suna/commit/f5dec7aa0c1b8fa0125938f292c0f2430ca75f6c
- Vendor: https://github.com/kortix-ai
- Product: https://github.com/kortix-ai/suna
Similar entries are VDB-365540, VDB-365539, VDB-356245, and VDB-358037 |
|---|
| Source | ⚠️ https://gist.github.com/TrebledJ/fe7241910ac0aaeff86243fc88e9ffed |
|---|
| User | trebledj (UID 94356) |
|---|
| Submission | 05/26/2026 11:09 (28 days ago) |
|---|
| Moderation | 06/21/2026 06:35 (26 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 372605 [kortix-ai suna up to 0.8.38 Auth Endpoint page.tsx router.replace/router.push returnURL cross site scripting] |
|---|
| Points | 20 |
|---|