CVE-2026-25477
MEDIUMaffine < 0.26.0 - Open Redirect via Improperly Anchored Regular Expression
Title source: llmDescription
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/toeverything/AFFiNE/security/advisories/GHSA-wx9m-v7wq-g289
Scores
CVSS v3
6.1
EPSS
0.0016
EPSS Percentile
5.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
Status
published
Products (1)
affine/affine
< 0.26.0
Published
Mar 02, 2026
Tracked Since
Mar 03, 2026