CVE-2026-54893

Source
https://cve.org/CVERecord?id=CVE-2026-54893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54893
Aliases
Published
2026-07-06T14:04:16.486Z
Modified
2026-07-08T08:13:42.586578258Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Email-derived URL path injection in the Swoosh Microsoft Graph adapter
Details

URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.

In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected.

This issue affects swoosh from 1.12.0 before 1.26.3.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.12.0"
                },
                {
                    "fixed": "1.26.3"
                },
                {
                    "introduced": "23bfcdab71aee4613858ba6d116bb3311b72aa58"
                },
                {
                    "fixed": "e38235453e81d1727bfc8d91e69ec4cb211ccf61"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.12.0"
                },
                {
                    "fixed": "1.26.3"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "1.12.0"
                },
                {
                    "fixed": "1.26.3"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54893.json",
    "cna_assigner": "EEF",
    "cwe_ids": [
        "CWE-116"
    ]
}
References

Affected packages

Git / github.com/swoosh/swoosh

Affected ranges

Type
GIT
Repo
https://github.com/swoosh/swoosh
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

1.*
1.25.3
1.26.2
v0.*
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.16.1
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.22.2
v0.23.0
v0.23.1
v0.23.3
v0.23.4
v0.23.5
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.24.4
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.25.4
v0.25.5
v0.25.6
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.11.0
v1.11.1
v1.11.2
v1.11.3
v1.11.4
v1.11.5
v1.11.6
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.15.0
v1.15.1
v1.15.2
v1.15.3
v1.16.0
v1.16.1
v1.16.10
v1.16.11
v1.16.12
v1.16.2
v1.16.3
v1.16.4
v1.16.5
v1.16.6
v1.16.7
v1.16.8
v1.16.9
v1.17.0
v1.17.1
v1.17.10
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.17.9
v1.18.0
v1.18.1
v1.18.2
v1.18.3
v1.18.4
v1.19.0
v1.19.1
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.19.6
v1.19.7
v1.19.8
v1.19.9
v1.2.0
v1.2.1
v1.2.2
v1.20.0
v1.20.1
v1.21.0
v1.22.0
v1.22.1
v1.23.0
v1.23.1
v1.24.0
v1.25.0
v1.25.1
v1.25.2
v1.26.0
v1.26.1
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.9.0
v1.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54893.json"