A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "5.0.0"
},
{
"last_affected": "5.0.0"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11477.json",
"cna_assigner": "VulDB",
"cwe_ids": [
"CWE-601"
]
}"2026-07-09T19:48:06Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11477.json"
[
{
"id": "CVE-2026-11477-07fad6e9",
"digest": {
"line_hashes": [
"24323329224603095924619813895572477824",
"146741725495793916791613002681887733231",
"185816413316488085388491691815899329496",
"19204629325700103762287769639205117488",
"18010768008749301529711883374689541414",
"21180776317134269107515120343829206121",
"74198482354391839327276592647378342378",
"189831724569332065186314407354465216902",
"303396815549223820061315414509745443331",
"256374765224965204486285698297806435729",
"302957656236011315771560493616059025465",
"310525773910665731642988384265834992478",
"314215241488849743602799145470130019753",
"230528316797794493030741935169626526136",
"145686389517584539381162296551873680815"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java"
}
},
{
"id": "CVE-2026-11477-0e2057a7",
"digest": {
"line_hashes": [
"193363816595999376092686479022746122287"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/AuthorizationCodeCache.java"
}
},
{
"id": "CVE-2026-11477-1473ed3e",
"digest": {
"line_hashes": [
"288628584566060991938423147569778835462",
"263016666157239617028762834650469485065",
"340199855235176474016525165334692405948",
"41395209436845848131822388102558563759",
"207119176138963241812559034379916998095",
"331357764356411014607324251102467615631",
"52594932461398966820573100727870039278",
"231962840798532245998621285388496374564",
"195987436083494673804990432465249052935"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/test/java/org/hswebframework/web/oauth2/server/OAuth2ClientTest.java"
}
},
{
"id": "CVE-2026-11477-15962c26",
"digest": {
"function_hash": "49631337348282712089869952218351744870",
"length": 185.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "validateRedirectUri",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java"
}
},
{
"id": "CVE-2026-11477-3032327b",
"digest": {
"line_hashes": [
"251144591947914168722740317683553852937",
"239805045885611965678148753602895208050",
"314563050473033172227487373579925897643",
"205340533190528855681544828529771467106",
"281948764424473686422802588688132763364"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2ServerAutoConfiguration.java"
}
},
{
"id": "CVE-2026-11477-3f3b23ad",
"digest": {
"function_hash": "141932790428919333661702732744761044155",
"length": 202.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "test",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/test/java/org/hswebframework/web/oauth2/server/OAuth2ClientTest.java"
}
},
{
"id": "CVE-2026-11477-4e5242e1",
"digest": {
"function_hash": "24610680250009466798715504813783247222",
"length": 722.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "authorizeByCode",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/web/OAuth2AuthorizeController.java"
}
},
{
"id": "CVE-2026-11477-52114980",
"digest": {
"line_hashes": [
"200959192844393249550816239612727340641",
"173934555365183540970705224321726213030",
"183037644897281759148514310153230422700",
"64289544293009669332523380395276341670",
"119877179750177033116810165940403444310",
"193537709964247929151924815544864726295",
"207357500332333543596539940381520132341",
"199775804517691290380569663196878949119",
"220678793781109246449917457475288030165",
"26756278139050676578911753026320293943",
"100439279946094874233476971670301501796",
"93587679414652800938904600169984627943",
"27185084137477049526902290438850227937",
"125027123658961422069893081905854464301",
"310571800669273135212889301715490049433"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/web/OAuth2AuthorizeController.java"
}
},
{
"id": "CVE-2026-11477-6289daa9",
"digest": {
"line_hashes": [
"303986703487038330082285640233086375528",
"88267075901905091709878116858701293523",
"165490391382623156836193381613975142217",
"147565494682747351229483174789941419009",
"290977170876523392613978255441918969532",
"72018775540617635414432164299091056507",
"118426964277591120425526771926092880161",
"116989861592968171569321454757305819170"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/DefaultAuthorizationCodeGranter.java"
}
},
{
"id": "CVE-2026-11477-6c2eb74b",
"digest": {
"function_hash": "243626832102527454738715082599082312877",
"length": 187.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "validateSecret",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java"
}
},
{
"id": "CVE-2026-11477-96d0c794",
"digest": {
"function_hash": "199928875325609649592551143642770857471",
"length": 856.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "requestCode",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/DefaultAuthorizationCodeGranter.java"
}
},
{
"id": "CVE-2026-11477-9e932855",
"digest": {
"line_hashes": [
"240326597770184823537092471247368688055",
"144655171970084424169354545293126429107"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/AuthorizationCodeTokenRequest.java"
}
},
{
"id": "CVE-2026-11477-a5b18959",
"digest": {
"line_hashes": [
"31406294449847358842837682870362526450"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Properties.java"
}
},
{
"id": "CVE-2026-11477-ac5ccd82",
"digest": {
"function_hash": "324261775080742158007937354341378312003",
"length": 1004.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "requestToken",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/code/DefaultAuthorizationCodeGranter.java"
}
},
{
"id": "CVE-2026-11477-b1fcead5",
"digest": {
"function_hash": "312525221900792805251490924304376348893",
"length": 85.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/c2882679a9125cea52678151af5ae213cbd52579",
"deprecated": false,
"target": {
"function": "oAuth2AuthorizeController",
"file": "hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2ServerAutoConfiguration.java"
}
}
]