CVE-2026-9566

Name of the Vulnerable Software and Affected Versions teableio teable versions prior to release.2026-04-21T08-57-20Z.1513

Description Cross site scripting can be triggered remotely through the manipulation of the redirect argument within the Sign-up component of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx. The issue occurs because the login redirect flow failed to properly validate the redirect path, allowing the execution of javascript:, data:, and cross-origin redirects.

Recommendations Upgrade to version release.2026-04-21T08-57-20Z.1513. As a temporary workaround, restrict or validate the redirect parameter used during the login process to prevent the use of javascript:, data:, or cross-origin URIs.