What is CVE-2026-42259?

### Summary Saltcorn validates the post-login `dest` parameter with a string check that only blocks `:/` and `//`. Because all WHATWG-compliant browsers normalise backslashes (`\`) to forward slashes (`/`) for special schemes, a payload such as `/\evil.com/path` slips through `is_relative_url()`, is emitted unchanged in the HTTP `Location` header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. ### Details Vulnerable function: `packages/server/routes/utils.js:393-395` ```js const is_relative_url = (url) => { return typeof url === "string" && !url.includes(":/") && !url.includes("//"); }; ``` The function's intent is to allow only same-origin redirects, but the allow-list only checks for two literal substrings. It does not handle: - backslash characters, which WHATWG URL parsing (used by every modern browser) treats as forward slashes for the special schemes `http`, `https`, `ftp`, `ws`, `wss`. A URL parser fed `/\evil.com/path` with a base of `http://victim/` resolves to `http://evil.com/path`. - non-`http(s):` schemes that do not contain `:/`. The strings `javascript:alert(1)`, `data:text/html,...`, `vbscript:...` all pass. Vulnerable callsite: `packages/server/auth/routes.js:1371-1376` ```js } else if ( (req.body || {}).dest && is_relative_url(decodeURIComponent((req.body || {}).dest)) ) { res.redirect(decodeURIComponent((req.body || {}).dest)); } else res.redirect("/"); ``` The body's `dest` is URL-decoded twice (once by body-parser, once by the explicit `decodeURIComponent`) and the same value is passed to `res.redirect`. Express 5's `res.redirect` runs the value through `encodeurl@2.0.0`, whose whitelist character class `[^\x21\x23-\x3B\x3D\x3F-\x5F\x61-\x7A\x7C\x7E]` includes `\x5C` (backslash). The backslash is therefore not percent-encoded and ends up verbatim in the `Location` response header. ### PoC [poc.zip](https://github.com/user-attachments/files/26678853/poc.zip) Please extract the uploaded compressed file before proceeding 1. ./setup.sh 2. ./poc.sh ### Impact Any user who can be lured into clicking a Saltcorn login URL crafted by the attacker will, after submitting their valid credentials, be redirected to an attacker-controlled origin. The redirect happens under the trusted Saltcorn domain, so the user has no visual cue that they are about to leave the site. Realistic abuse patterns: - Credential phishing — the attacker's site renders a forged "session expired, please log in again" prompt to capture the password the user just typed.

What is the severity of CVE-2026-42259?

CVE-2026-42259 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-42259?

No known public exploits are currently available for CVE-2026-42259.

Is there a patch available for CVE-2026-42259?

Yes, patches are available for CVE-2026-42259. Check the vendor advisories for update instructions.

CVE-2026-42259 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL.

Details

Vulnerable function: packages/server/routes/utils.js:393-395

const is_relative_url = (url) => {
  return typeof url === "string" && !url.includes(":/") && !url.includes("//");
};

The function's intent is to allow only same-origin redirects, but the allow-list only checks for two literal substrings. It does not handle:

backslash characters, which WHATWG URL parsing (used by every modern browser) treats as forward slashes for the special schemes http, https, ftp, ws, wss. A URL parser fed /\evil.com/path with a base of http://victim/ resolves to http://evil.com/path.
non-http(s): schemes that do not contain :/. The strings javascript:alert(1), data:text/html,..., vbscript:... all pass.

Vulnerable callsite: packages/server/auth/routes.js:1371-1376

} else if (
  (req.body || {}).dest &&
  is_relative_url(decodeURIComponent((req.body || {}).dest))
) {
  res.redirect(decodeURIComponent((req.body || {}).dest));
} else res.redirect("/");

The body's dest is URL-decoded twice (once by body-parser, once by the explicit decodeURIComponent) and the same value is passed to . Express 5's runs the value through , whose whitelist character class includes (backslash). The backslash is therefore not percent-encoded and ends up verbatim in the response header.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-42259

Summary

Details

PoC

Impact