CVE-2026-11443
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A vulnerability in Allegra allows remote attackers to execute arbitrary scripts on affected installations via the downloadAttachment method. User interaction is required to exploit this vulnerability, meaning the victim must visit a malicious page or open a malicious file.
Risk Assessment
Attackers can leverage this vulnerability to execute scripts in the context of the current user, potentially leading to data theft or session hijacking.
Recommendation
It is recommended to update Allegra software to the latest version to patch this vulnerability and educate users on avoiding suspicious websites and files.
Original NVD description (English source)
Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236.

