CVE-2026-6493: XSS Vulnerability in lukevella rallly Affects Password Reset Functionality
Severity: Medium (Score: 45.9)
Sources: Feedly, exploit-intel.com
Summary
A cross-site scripting (XSS) vulnerability, identified as CVE-2026-6493, has been discovered in lukevella rallly versions up to 4.7.4. The flaw resides in the Reset Password Handler component, specifically in the reset-password-form.tsx file, where the redirectTo parameter can be manipulated. This vulnerability allows authenticated attackers with low privileges to execute reflected XSS attacks, potentially compromising user data integrity. Although no public proof-of-concept exploits or active exploitation have been reported, the threat remains significant due to the availability of a published exploit. A patch has been released in version 4.8.0, and users are urged to upgrade immediately. Interim measures include implementing Content Security Policy (CSP) headers and monitoring authentication logs for suspicious activities. The CVSS score for this vulnerability is 5.1, indicating a moderate severity level. Organizations using affected versions should prioritize patching to mitigate risks. Key Points: • CVE-2026-6493 is an XSS vulnerability in lukevella rallly versions up to 4.7.4. • Authenticated attackers can exploit this flaw via the redirectTo parameter in password resets. • A patch is available in version 4.8.0, and immediate upgrades are recommended.