CVE-2026-40255

216.73.216.226

· Published 16/04/2026 23:16 · Modified 17/04/2026 15:38

Labels: CVE-2026-40255 2026-04-16 CVE-2026-40255 CWE-601 [email protected]

Essential information

Published: 16/04/2026 23:16
Modified: 17/04/2026 15:38
Author: —
Creator: —
CVSS: 6.1 MEDIUM (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS metrics

Description

AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
adonisjs / http server	`cpe:2.3:a:adonisjs:http_server:<7.8.1:::::::*`
adonisjs / core	`cpe:2.3:a:adonisjs:core:<7.4.0:::::::*`