CVE-2026-11477
MEDIUMhs-web hsweb-framework OAuth2 Client OAuth2Client.java OAuth2Client redirect
Title source: cnaDescription
A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-369097 | hs-web hsweb-framework OAuth2 Client OAuth2Client.java OAuth2Client redirect
https://vuldb.com/vuln/369097
Signature, Permissions Required signature
permissions-required
VDB-369097 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/369097/cti
Third Party Advisory third-party-advisory
CVE-2026-11477 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11477
Third Party Advisory third-party-advisory
Submit #833962 | GitHub hsweb-framework 5.0.0 Open Redirect
https://vuldb.com/submit/833962
Exploit exploit
issue-tracking
https://github.com/hs-web/hsweb-framework/issues/354
Patch issue-tracking
patch
https://github.com/hs-web/hsweb-framework/pull/355
Patch patch
https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579
Product product
https://github.com/hs-web/hsweb-framework/
Scores
CVSS v3
4.3
EPSS
0.0030
EPSS Percentile
21.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
Status
published
Products (2)
hs-web/hsweb-framework
5.0.0
hs-web/hsweb-framework
5.0.1
Published
Jun 08, 2026
Tracked Since
Jun 08, 2026