A reflected XSS vulnerability (CVE-2026-33209) has been discovered in the Avo Ruby gem. The flaw exists in the `return_to` query parameter, allowing attackers to inject arbitrary JavaScript via a crafted URL that triggers when a dynamically generated navigation button is clicked. The vulnerability affects both authenticated and unauthenticated deployments, though impact differs. The fix is available in Avo version 3.30.3 and above.
Sort: