CVE Catalog

CVE-2026-11443

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

A vulnerability in Allegra allows remote attackers to execute arbitrary scripts on affected installations via the downloadAttachment method. User interaction is required to exploit this vulnerability, meaning the victim must visit a malicious page or open a malicious file.

Risk Assessment

Attackers can leverage this vulnerability to execute scripts in the context of the current user, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to update Allegra software to the latest version to patch this vulnerability and educate users on avoiding suspicious websites and files.

Original NVD description (English source)

Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS