PYSEC-2026-738

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pollbot/PYSEC-2026-738.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-738
Aliases
Published
2026-07-02T14:13:15.349245Z
Modified
2026-07-06T08:00:50.600875365Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
open redirect in pollbot
Details

(From https://bugzilla.mozilla.org/show_bug.cgi?id=1753838)

Summary: There was an open redirection vulnerability in the path of:

https://pollbot.services.mozilla.com/ and https://pollbot.stage.mozaws.net/

Description: An attacker can redirect anyone to malicious sites.

Steps To Reproduce: Type in this URL:

https://pollbot.services.mozilla.com/%0a/evil.com/

It redirects to that website

evil.com

evil.com was used as an example but this could be any website. Note, the /%0a/ and trailing / are required.

Supporting Material/References: https://cheatsheetseries.owasp.org/cheatsheets/UnvalidatedRedirectsandForwardsCheat_Sheet.html

Impact

Attackers can serve malicious websites that steal passwords or download ransomware to their victims machine due to a redirect and there are a heap of other attack vectors.

References

Affected packages

PyPI / pollbot

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.6

Affected versions

0.*
0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pollbot/PYSEC-2026-738.yaml"