CVE-2026-2709

LOW

Busy up to 2.5.5 - Open Redirect

Title source: llm

Description

A flaw has been found in busy up to 2.5.5. The affected element is an unknown function of the file source-code/busy-master/src/server/app.js of the component Callback Handler. Executing a manipulation of the argument state can lead to open redirect. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Permissions Required, VDB Entry] https://vuldb.com/?id.346661

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.346661

[Permissions Required, VDB Entry] https://vuldb.com/?submit.753299

[Issue Tracking] https://github.com/busyorg/busy/issues/2287

[Issue Tracking] https://github.com/busyorg/busy/issues/2287#issue-3905518966

Scores

CVSS v3 3.5

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Published Feb 19, 2026

Tracked Since Feb 19, 2026