CVE-2026-25477

MEDIUM

AFFiNE <0.26.0 - Open Redirect

Title source: llm

Description

AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0.

References (1)

[Vendor Advisory] https://github.com/toeverything/AFFiNE/security/advisories/GHSA-wx9m-v7wq-g289

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (1)

affine/affine < 0.26.0

Published Mar 02, 2026

Tracked Since Mar 03, 2026