Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-79"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33209.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.30.3"
}
],
"cpe": "cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}