{"id":"CVE-2026-33284","summary":"GlobalLeaks has insufficient URL validation in user support API","details":"GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.","aliases":["GHSA-84wr-q36q-wqhv"],"modified":"2026-04-10T05:43:12.593139Z","published":"2026-03-27T13:58:54.085Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33284.json","cwe_ids":["CWE-20"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33284.json"},{"type":"ADVISORY","url":"https://github.com/globaleaks/globaleaks-whistleblowing-software/security/advisories/GHSA-84wr-q36q-wqhv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33284"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/globaleaks/globaleaks-whistleblowing-software","events":[{"introduced":"0"},{"fixed":"4aad5233889e1e9a52ded6ddf264c38e27a436a4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.0.89"}]}}],"versions":["v3.0.26","v3.10.2","v3.10.8","v3.11.0","v3.11.36","v3.11.53","v3.11.56","v3.11.57","v3.11.58","v3.11.60","v3.11.61","v3.9.2","v3.9.3","v4.0.0","v4.0.10","v4.0.2","v4.0.40","v4.0.42","v4.0.43","v4.0.44","v4.0.45","v4.0.46","v4.0.48","v4.0.49","v4.0.54","v4.0.58","v4.0.6","v4.1.0","v4.1.1","v4.1.13","v4.1.14","v4.1.15","v4.1.16","v4.1.17","v4.1.6","v4.1.9","v4.10.0","v4.10.1","v4.10.10","v4.10.11","v4.10.18","v4.10.2","v4.11.0","v4.11.1","v4.11.2","v4.11.5","v4.12.1","v4.12.2","v4.12.4","v4.12.5","v4.12.6","v4.13.0","v4.13.10","v4.13.11","v4.13.13","v4.13.14","v4.13.15","v4.13.16","v4.13.18","v4.13.19","v4.13.20","v4.13.21","v4.13.22","v4.13.6","v4.14.0","v4.15.0","v4.15.1","v4.15.2","v4.15.3","v4.15.4","v4.2.0","v4.2.1","v4.2.13","v4.2.2","v4.2.5","v4.2.8","v4.3.0","v4.3.1","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.4.4","v4.6.0","v4.6.1","v4.7.1","v4.7.2","v4.7.3","v4.7.5","v4.7.6","v4.9.1","v4.9.2","v4.9.5","v4.9.6","v4.9.7","v4.9.8","v5.0.0","v5.0.1","v5.0.1-docker","v5.0.10","v5.0.10-docker","v5.0.11","v5.0.11-docker","v5.0.12","v5.0.12-docker","v5.0.13","v5.0.13-docker","v5.0.14","v5.0.14-docker","v5.0.15","v5.0.16","v5.0.17","v5.0.17-docker","v5.0.18","v5.0.18-docker","v5.0.19","v5.0.19-docker","v5.0.20","v5.0.20-docker","v5.0.21","v5.0.21-docker","v5.0.22","v5.0.22-docker","v5.0.23","v5.0.23-docker","v5.0.24","v5.0.24-docker","v5.0.25","v5.0.25-docker","v5.0.26","v5.0.26-docker","v5.0.27","v5.0.27-docker","v5.0.28","v5.0.28-docker","v5.0.29","v5.0.29-docker","v5.0.3","v5.0.3-docker","v5.0.30","v5.0.30-docker","v5.0.31","v5.0.31-docker","v5.0.32","v5.0.32-docker","v5.0.33","v5.0.33-docker","v5.0.38","v5.0.38-docker","v5.0.39","v5.0.4","v5.0.4-docker","v5.0.40","v5.0.41","v5.0.41-docker","v5.0.42","v5.0.43","v5.0.43-docker","v5.0.44","v5.0.44-docker","v5.0.45","v5.0.45-docker","v5.0.46","v5.0.48","v5.0.48-docker","v5.0.49","v5.0.5","v5.0.50","v5.0.50-docker","v5.0.51","v5.0.51-docker","v5.0.52","v5.0.52-docker","v5.0.54","v5.0.54-docker","v5.0.55","v5.0.55-docker","v5.0.56","v5.0.56-docker","v5.0.57","v5.0.57-docker","v5.0.58","v5.0.58-docker","v5.0.59","v5.0.59-docker","v5.0.6","v5.0.60","v5.0.61","v5.0.62","v5.0.62-docker","v5.0.63","v5.0.63-docker","v5.0.64","v5.0.64-docker","v5.0.65","v5.0.65-docker","v5.0.66","v5.0.66-docker","v5.0.67","v5.0.67-docker","v5.0.68","v5.0.68-docker","v5.0.69","v5.0.69-docker","v5.0.7","v5.0.7-docker","v5.0.70-docker","v5.0.71","v5.0.71-docker","v5.0.73","v5.0.74","v5.0.75","v5.0.75-docker","v5.0.76","v5.0.76-docker","v5.0.77","v5.0.77-docker","v5.0.78","v5.0.79","v5.0.79-docker","v5.0.8","v5.0.8-docker","v5.0.80","v5.0.80-docker","v5.0.81","v5.0.82","v5.0.82-docker","v5.0.83","v5.0.83-docker","v5.0.84","v5.0.85","v5.0.85-docker","v5.0.86","v5.0.86-docker","v5.0.87","v5.0.87-docker","v5.0.88","v5.0.9","v5.0.9-docker"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33284.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"}]}