{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25477", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.820Z", "datePublished": "2026-03-02T19:14:05.003Z", "dateUpdated": "2026-03-02T20:30:32.614Z"}, "containers": {"cna": {"title": "AFFiNE: Open Redirect via Regex Bypass in redirect-proxy", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/toeverything/AFFiNE/security/advisories/GHSA-wx9m-v7wq-g289", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/toeverything/AFFiNE/security/advisories/GHSA-wx9m-v7wq-g289"}], "affected": [{"vendor": "toeverything", "product": "AFFiNE", "versions": [{"version": "< 0.26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T19:14:05.003Z"}, "descriptions": [{"lang": "en", "value": "AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0."}], "source": {"advisory": "GHSA-wx9m-v7wq-g289", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:29:57.272805Z", "id": "CVE-2026-25477", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:30:32.614Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:affine:affine:*:*:*:*:-:*:*:*", "matchCriteriaId": "6BA71CFE-9304-4226-80A6-87C7B6CB89B6", "versionEndExcluding": "0.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0."}, {"lang": "es", "value": "AFFiNE es un espacio de trabajo todo en uno de c\u00f3digo abierto y un sistema operativo. Antes de la versi\u00f3n 0.26.0, existe una vulnerabilidad de redirecci\u00f3n abierta ubicada en el endpoint /redirect-proxy. El fallo reside en la l\u00f3gica de validaci\u00f3n de dominio, donde una expresi\u00f3n regular anclada incorrectamente permite a un atacante eludir la lista blanca utilizando dominios maliciosos que terminan con una cadena de confianza. Este problema ha sido parcheado en la versi\u00f3n 0.26.0."}], "id": "CVE-2026-25477", "lastModified": "2026-04-10T14:28:39.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-02T20:16:26.407", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/toeverything/AFFiNE/security/advisories/GHSA-wx9m-v7wq-g289"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AFFiNE", "source": "cna", "vendor": "toeverything"}, "product": "affine", "vendor": "toeverything"}], "analysis": {"en": {"generated_at": "2026-04-16T14:18:09.569601+00:00", "value": {"mitigation_remediation": ["Upgrade AffiNE to version 0.26.0 or later to receive the patched Redirect\u2011Proxy logic.", "If upgrading is not immediately possible, disable or block access to the /redirect-proxy endpoint until a patch can be applied.", "Configure a Web Application Firewall or reverse proxy rule to reject URLs that attempt to bypass the whitelist by using suffix matching against trusted domains.", "Educate users to be wary of unexpected redirects, particularly from links that terminate in known company domains."], "summary": {"action": "Apply Patch", "impact": "Open Redirect via Regex Bypass"}, "threat_synthesis": {"affected_systems": "This issue affects the open-source workspace platform AffiNE from the toeverything vendor. Versions prior to 0.26.0 are vulnerable; the fix is included in 0.26.0 and later releases. Systems using the system\u2019s redirect-proxy feature are at risk.", "description_and_impact": "A flaw in the domain validation logic of the /redirect-proxy endpoint lets an attacker craft a URL that bypasses the whitelist by appending a malicious domain to a trusted suffix. The bypass occurs because the Regular Expression anchoring is insufficient, allowing the attacker to redirect users to arbitrary external sites. This can be exploited to facilitate phishing or drive traffic to malicious domains, compromising user trust and potentially enabling social engineering attacks. The weakness is classified as CWE\u2011601, an open redirect vulnerability.", "risk_and_exploitability": "The CVSS score of 6.9 reflects moderate severity. However, the EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. The typical attack vector would be through a crafted URL, so users or attackers could supply malicious links that appear legitimate. While the risk to system integrity is low, the impact on user trust and potential for phishing remains significant."}}}}, "created": "2026-03-03T08:41:06.855277+00:00", "updated": "2026-04-16T14:30:16.126841+00:00", "vendors": ["toeverything", "toeverything$PRODUCT$affine"]}