CVE-2026-40255

Source
https://cve.org/CVERecord?id=CVE-2026-40255
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40255.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40255
Aliases
Published
2026-04-16T22:25:38.155Z
Modified
2026-07-08T08:13:47.532761929Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
@adonisjs/http-server has an Open Redirect vulnerability
Details

AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40255.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601"
    ]
}
References

Affected packages

Git / github.com/adonisjs/core

Affected ranges

Type
GIT
Repo
https://github.com/adonisjs/core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:adonisjs:core:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.3.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/adonisjs/http-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": [
        "cpe:2.3:a:adonisjs:http-server:*:*:*:*:*:node.js:*:*",
        "cpe:2.3:a:adonisjs:core:*:*:*:*:*:node.js:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.8.1"
        },
        {
            "last_affected": "8.1.3"
        },
        {
            "last_affected": "7.3.0"
        }
    ]
}

Affected versions

@adonisjs/framework@v4.*
@adonisjs/framework@v4.0.0
@adonisjs/framework@v4.0.1
@adonisjs/framework@v4.0.10
@adonisjs/framework@v4.0.11
@adonisjs/framework@v4.0.12
@adonisjs/framework@v4.0.13
@adonisjs/framework@v4.0.14
@adonisjs/framework@v4.0.15
@adonisjs/framework@v4.0.16
@adonisjs/framework@v4.0.17
@adonisjs/framework@v4.0.18
@adonisjs/framework@v4.0.19
@adonisjs/framework@v4.0.2
@adonisjs/framework@v4.0.20
@adonisjs/framework@v4.0.21
@adonisjs/framework@v4.0.22
@adonisjs/framework@v4.0.23
@adonisjs/framework@v4.0.24
@adonisjs/framework@v4.0.25
@adonisjs/framework@v4.0.26
@adonisjs/framework@v4.0.27
@adonisjs/framework@v4.0.3
@adonisjs/framework@v4.0.30
@adonisjs/framework@v4.0.31
@adonisjs/framework@v4.0.4
@adonisjs/framework@v4.0.5
@adonisjs/framework@v4.0.6
@adonisjs/framework@v4.0.7
@adonisjs/framework@v4.0.8
@adonisjs/framework@v4.0.9
@adonisjs/framework@v5.*
@adonisjs/framework@v5.0.0
@adonisjs/framework@v5.0.1
@adonisjs/framework@v5.0.10
@adonisjs/framework@v5.0.11
@adonisjs/framework@v5.0.12
@adonisjs/framework@v5.0.2
@adonisjs/framework@v5.0.3
@adonisjs/framework@v5.0.4
@adonisjs/framework@v5.0.5
@adonisjs/framework@v5.0.6
@adonisjs/framework@v5.0.7
@adonisjs/framework@v5.0.8
@adonisjs/framework@v5.0.9
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.10.0
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.8.1
v1.8.2
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.8.0
v2.8.1
v2.9.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v5.*
v5.0.0
v5.0.0-preview-rc-1
v5.0.0-preview-rc-1.1
v5.0.0-preview-rc-1.10
v5.0.0-preview-rc-1.11
v5.0.0-preview-rc-1.2
v5.0.0-preview-rc-1.3
v5.0.0-preview-rc-1.4
v5.0.0-preview-rc-1.5
v5.0.0-preview-rc-1.6
v5.0.0-preview-rc-1.7
v5.0.0-preview-rc-1.8
v5.0.0-preview-rc-1.9
v5.0.0-preview.1
v5.0.0-preview.2
v5.0.0-preview.3
v5.0.0-preview.4
v5.0.0-preview.5
v5.0.1
v5.0.1-beta-rc-2
v5.0.1-beta-rc-3
v5.0.2-beta-rc-4
v5.0.2-beta-rc-5
v5.0.2-beta-rc-6
v5.0.2-beta-rc-7
v5.0.2-beta-rc-8
v5.0.2-beta-rc-9
v5.0.3-beta-rc-10
v5.0.4-preview-rc-2
v5.0.4-preview-rc-2.1
v5.0.5-canary-rc-1
v5.0.5-canary-rc-2
v5.1.0
v5.1.1
v5.1.10
v5.1.11
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.1.9
v5.10.0
v5.10.1
v5.11.0
v5.12.0
v5.2.0
v5.2.1
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.5.5
v5.5.6
v5.5.7
v5.6.0
v5.6.1
v5.6.2
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9
v5.9.0
v6.*
v6.10.0
v6.10.1
v6.11.0
v6.12.0
v6.12.1
v6.13.0
v6.13.1
v6.14.0
v6.14.1
v6.15.0
v6.15.1
v6.15.2
v6.16.0
v6.17.0
v6.17.1
v6.17.2
v6.18.0
v6.19.0
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v6.3.1
v6.4.0
v6.5.0
v6.6.0
v6.7.0
v6.7.1
v6.8.0
v6.9.0
v6.9.1
v7.*
v7.0.0
v7.0.0-next.0
v7.0.0-next.1
v7.0.0-next.10
v7.0.0-next.11
v7.0.0-next.12
v7.0.0-next.13
v7.0.0-next.14
v7.0.0-next.15
v7.0.0-next.16
v7.0.0-next.17
v7.0.0-next.18
v7.0.0-next.19
v7.0.0-next.2
v7.0.0-next.20
v7.0.0-next.21
v7.0.0-next.22
v7.0.0-next.23
v7.0.0-next.24
v7.0.0-next.25
v7.0.0-next.26
v7.0.0-next.27
v7.0.0-next.28
v7.0.0-next.29
v7.0.0-next.3
v7.0.0-next.4
v7.0.0-next.5
v7.0.0-next.6
v7.0.0-next.7
v7.0.0-next.8
v7.0.0-next.9
v7.0.1
v7.0.2
v7.0.3
v7.1.0
v7.1.1
v7.2.0
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.3.0
v7.4.0
v7.5.0
v7.6.0
v7.6.1
v7.7.0
v7.8.0
v8.*
v8.0.0
v8.0.0-next.0
v8.0.0-next.1
v8.0.0-next.10
v8.0.0-next.11
v8.0.0-next.12
v8.0.0-next.13
v8.0.0-next.14
v8.0.0-next.15
v8.0.0-next.16
v8.0.0-next.17
v8.0.0-next.18
v8.0.0-next.19
v8.0.0-next.2
v8.0.0-next.3
v8.0.0-next.4
v8.0.0-next.5
v8.0.0-next.6
v8.0.0-next.7
v8.0.0-next.8
v8.0.0-next.9
v8.1.0
v8.1.1
v8.1.2
v8.1.3
vv5.*
vv5.0.0-preview-rc-1.2
vv5.0.0-preview-rc-1.3
vv5.0.0-preview-rc-1.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40255.json"