🔐 CVE Alert

CVE-2026-54893

UNKNOWN 0.0

Email-derived URL path injection in the Swoosh Microsoft Graph adapter

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation. In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected. This issue affects swoosh from 1.12.0 before 1.26.3.

CWE CWE-116
Vendor swoosh
Product swoosh
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for swoosh swoosh

Be the first to know when new unknown vulnerabilities affecting swoosh swoosh are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

swoosh / swoosh
1.12.0 < 1.26.3
swoosh / swoosh
23bfcdab71aee4613858ba6d116bb3311b72aa58 < e38235453e81d1727bfc8d91e69ec4cb211ccf61

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-54893.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-54893 github.com: https://github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61

Credits

Peter Ullrich Po Chen Jonatan Männchen