CVE-2026-33284 PUBLISHED

GlobalLeaks has insufficient URL validation in user support API

Assigner: GitHub_M
Reserved: 18.03.2026 Published: 27.03.2026 Updated: 27.03.2026

GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
CVSS Score: 1.2

Product Status

Vendor globaleaks
Product globaleaks-whistleblowing-software
Versions
  • Version < 5.0.89 is affected

References

Problem Types

  • CWE-20: Improper Input Validation CWE