{"id":"CVE-2026-11477","summary":"hs-web hsweb-framework OAuth2 Client OAuth2Client.java OAuth2Client redirect","details":"A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.","modified":"2026-07-09T19:48:06.295410Z","published":"2026-06-08T01:45:11.512Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11477.json","cwe_ids":["CWE-601"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"5.0.0"},{"last_affected":"5.0.0"}]}],"cna_assigner":"VulDB"},"references":[{"type":"WEB","url":"https://github.com/hs-web/hsweb-framework/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11477.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11477"},{"type":"ADVISORY","url":"https://vuldb.com/cve/CVE-2026-11477"},{"type":"ADVISORY","url":"https://vuldb.com/submit/833962"},{"type":"ADVISORY","url":"https://vuldb.com/vuln/369097"},{"type":"REPORT","url":"https://github.com/hs-web/hsweb-framework/issues/354"},{"type":"REPORT","url":"https://vuldb.com/vuln/369097/cti"},{"type":"FIX","url":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579"},{"type":"FIX","url":"https://github.com/hs-web/hsweb-framework/pull/355"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hs-web/hsweb-framework","events":[{"introduced":"97f7cb7d9b73a120222e4ad909b300f2b1d6e54f"},{"fixed":"c2882679a9125cea52678151af5ae213cbd52579"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"5.0.1"},{"last_affected":"5.0.1"}]}}],"versions":["5.0.1"],"database_specific":{"vanir_signatures":[{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java"},"deprecated":false,"digest":{"line_hashes":["24323329224603095924619813895572477824","146741725495793916791613002681887733231","185816413316488085388491691815899329496","19204629325700103762287769639205117488","18010768008749301529711883374689541414","21180776317134269107515120343829206121","74198482354391839327276592647378342378","189831724569332065186314407354465216902","303396815549223820061315414509745443331","256374765224965204486285698297806435729","302957656236011315771560493616059025465","310525773910665731642988384265834992478","314215241488849743602799145470130019753","230528316797794493030741935169626526136","145686389517584539381162296551873680815"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-07fad6e9","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/AuthorizationCodeCache.java"},"deprecated":false,"digest":{"line_hashes":["193363816595999376092686479022746122287"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-0e2057a7","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/test/java/org/hswebframework/web/oauth2/server/OAuth2ClientTest.java"},"deprecated":false,"digest":{"line_hashes":["288628584566060991938423147569778835462","263016666157239617028762834650469485065","340199855235176474016525165334692405948","41395209436845848131822388102558563759","207119176138963241812559034379916998095","331357764356411014607324251102467615631","52594932461398966820573100727870039278","231962840798532245998621285388496374564","195987436083494673804990432465249052935"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-1473ed3e","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java","function":"validateRedirectUri"},"deprecated":false,"digest":{"length":185,"function_hash":"49631337348282712089869952218351744870"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-15962c26","signature_version":"v1","signature_type":"Function"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2ServerAutoConfiguration.java"},"deprecated":false,"digest":{"line_hashes":["251144591947914168722740317683553852937","239805045885611965678148753602895208050","314563050473033172227487373579925897643","205340533190528855681544828529771467106","281948764424473686422802588688132763364"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-3032327b","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/test/java/org/hswebframework/web/oauth2/server/OAuth2ClientTest.java","function":"test"},"deprecated":false,"digest":{"length":202,"function_hash":"141932790428919333661702732744761044155"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-3f3b23ad","signature_version":"v1","signature_type":"Function"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/web/OAuth2AuthorizeController.java","function":"authorizeByCode"},"deprecated":false,"digest":{"length":722,"function_hash":"24610680250009466798715504813783247222"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-4e5242e1","signature_version":"v1","signature_type":"Function"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/web/OAuth2AuthorizeController.java"},"deprecated":false,"digest":{"line_hashes":["200959192844393249550816239612727340641","173934555365183540970705224321726213030","183037644897281759148514310153230422700","64289544293009669332523380395276341670","119877179750177033116810165940403444310","193537709964247929151924815544864726295","207357500332333543596539940381520132341","199775804517691290380569663196878949119","220678793781109246449917457475288030165","26756278139050676578911753026320293943","100439279946094874233476971670301501796","93587679414652800938904600169984627943","27185084137477049526902290438850227937","125027123658961422069893081905854464301","310571800669273135212889301715490049433"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-52114980","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/DefaultAuthorizationCodeGranter.java"},"deprecated":false,"digest":{"line_hashes":["303986703487038330082285640233086375528","88267075901905091709878116858701293523","165490391382623156836193381613975142217","147565494682747351229483174789941419009","290977170876523392613978255441918969532","72018775540617635414432164299091056507","118426964277591120425526771926092880161","116989861592968171569321454757305819170"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-6289daa9","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java","function":"validateSecret"},"deprecated":false,"digest":{"length":187,"function_hash":"243626832102527454738715082599082312877"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-6c2eb74b","signature_version":"v1","signature_type":"Function"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/DefaultAuthorizationCodeGranter.java","function":"requestCode"},"deprecated":false,"digest":{"length":856,"function_hash":"199928875325609649592551143642770857471"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-96d0c794","signature_version":"v1","signature_type":"Function"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/AuthorizationCodeTokenRequest.java"},"deprecated":false,"digest":{"line_hashes":["240326597770184823537092471247368688055","144655171970084424169354545293126429107"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-9e932855","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Properties.java"},"deprecated":false,"digest":{"line_hashes":["31406294449847358842837682870362526450"],"threshold":0.9},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-a5b18959","signature_version":"v1","signature_type":"Line"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/DefaultAuthorizationCodeGranter.java","function":"requestToken"},"deprecated":false,"digest":{"length":1004,"function_hash":"324261775080742158007937354341378312003"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-ac5ccd82","signature_version":"v1","signature_type":"Function"},{"target":{"file":"hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2ServerAutoConfiguration.java","function":"oAuth2AuthorizeController"},"deprecated":false,"digest":{"length":85,"function_hash":"312525221900792805251490924304376348893"},"source":"https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579","id":"CVE-2026-11477-b1fcead5","signature_version":"v1","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11477.json","vanir_signatures_modified":"2026-07-09T19:48:06Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}