CVE-2026-6493
lukevella rallly Reset Password reset-password-form.tsx cross site scripting
CVSS Score
3.5
EPSS Score
0.0%
EPSS Percentile
0th
A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 4.8.0 mitigates this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure.
| CWE | CWE-79 CWE-94 |
| Vendor | lukevella |
| Product | rallly |
| Published | Apr 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for lukevella rallly
Be the first to know when new low vulnerabilities affecting lukevella rallly are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
lukevella / rallly
4.7.0 4.7.1 4.7.2 4.7.3 4.7.4
References
vuldb.com: https://vuldb.com/vuln/358037 vuldb.com: https://vuldb.com/vuln/358037/cti vuldb.com: https://vuldb.com/submit/787347 gist.github.com: https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c github.com: https://github.com/lukevella/rallly/pull/2245 github.com: https://github.com/lukevella/rallly/releases/tag/v4.8.0 github.com: https://github.com/lukevella/rallly/
Credits
๐ trebledj (VulDB User) VulDB CNA Team