CVE-2026-33209

Name of the Vulnerable Software and Affected Versions Avo versions prior to 3.30.3

Description A reflected cross-site scripting (XSS) issue exists in the return to query parameter within the Avo interface. An attacker can create a malicious URL that injects arbitrary JavaScript. This JavaScript is executed when a dynamically generated navigation button is clicked. The impact of this issue varies depending on the deployment configuration, potentially allowing the execution of arbitrary JavaScript in the context of the application. In unauthenticated setups, exploitation is possible through crafted links sent to users. In authenticated setups, exploitation is limited to authenticated users and requires interaction.

Recommendations Update to Avo version 3.30.3 or later.