CVE-2026-12811

Name of the Vulnerable Software and Affected Versions kortix-ai suna versions prior to 0.8.39

Description A flaw in the Auth Endpoint component allows for remote cross-site scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. The issue exists within the router.replace() and router.push() functions located in the apps/frontend/src/app/auth/page.tsx file. An attacker can trigger this by manipulating the returnURL argument.

Recommendations Update to version 0.8.39.