CVE-2026-9519

MEDIUM

stonith404 pingvin-share Sign-in Auto-Redirect signIn.tsx getServerSideProps cross site scripting

Title source: cna

Description

A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-365539 | stonith404 pingvin-share Sign-in Auto-Redirect signIn.tsx getServerSideProps cross site scripting

https://vuldb.com/vuln/365539

Signature, Permissions Required signature permissions-required

VDB-365539 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365539/cti

Third Party Advisory third-party-advisory

Submit #814364 | stonith404 pingvin-share 1.13.0 DOM-Based XSS, Open Redirect

https://vuldb.com/submit/814364

Exploit exploit

https://gist.github.com/TrebledJ/0efceef4f3a2e0515cc2fe96b4c22679

Scores

CVSS v3 4.3

EPSS 0.0034

EPSS Percentile 25.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (14)

stonith404/pingvin-share 1.0

stonith404/pingvin-share 1.1

stonith404/pingvin-share 1.10

stonith404/pingvin-share 1.11

stonith404/pingvin-share 1.12

stonith404/pingvin-share 1.13.0

stonith404/pingvin-share 1.2

stonith404/pingvin-share 1.3

stonith404/pingvin-share 1.4

stonith404/pingvin-share 1.5

... and 4 more

Published May 26, 2026

Tracked Since May 26, 2026