CVE-2026-11436

MEDIUM

Mage AI Sign-in Flow index.tsx useMutation cross site scripting

Title source: cna

Description

A vulnerability was detected in Mage AI up to 0.9.79. This impacts the function useMutation of the file mage_ai/frontend/components/Sessions/SignForm/index.tsx of the component Sign-in Flow. Performing a manipulation of the argument query.redirect_url results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-369016 | Mage AI Sign-in Flow index.tsx useMutation cross site scripting

https://vuldb.com/vuln/369016

Signature, Permissions Required signature permissions-required

VDB-369016 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/369016/cti

Third Party Advisory third-party-advisory

CVE-2026-11436 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-11436

Third Party Advisory third-party-advisory

Submit #822710 | Mage AI 0.9.79 DOM-Based XSS, Open Redirect

https://vuldb.com/submit/822710

Exploit exploit

https://gist.github.com/TrebledJ/8af312cf797391ef7b50b94bb244333a

Scores

CVSS v3 4.3

EPSS 0.0042

EPSS Percentile 33.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (50)

None/Mage AI 0.9.0

None/Mage AI 0.9.1

None/Mage AI 0.9.10

None/Mage AI 0.9.11

None/Mage AI 0.9.12

None/Mage AI 0.9.13

None/Mage AI 0.9.14

None/Mage AI 0.9.15

None/Mage AI 0.9.16

None/Mage AI 0.9.17

... and 40 more

Published Jun 06, 2026

Tracked Since Jun 06, 2026