CVE-2026-33284

OS Command Injection in Various GL.INet Devices

Insufficient URL Validation in the GlobaLeaks User Support API

CVE ID

CVE-2026-33284

CVE Link

https://nvd.nist.gov/vuln/detail/CVE-2026-33284

Vendor

GlobaLeaks

Affected Product & Version

GlobaLeaks versions ≤ 5.0.88

Vulnerability Type

CWE-78: Improper Neutralization of Special Elements used in an OS command (‘OS Command Injection’)

CVSS Vector

NVD: 4.3 Medium / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
BDO: 4.3 Medium / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Author

Manfred Heinz

Date

2026-04-24

CVE Details

Description:

GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.

The reported issue does not allow code execution, data access or service disruption. The primary concern is potential phishing or social engineering targeting administrators via auto-linked URLs in emails.

Remediation:

Installation of GlobaLeaks version >= 5.0.89
Configure administrators' email clients securely disabling auto-link functionality;
Train administrators to treat links from untrusted sources with caution.

References:

https://github.com/globaleaks/globaleaks-whistleblowing-software/security/advisories/GHSA-84wr-q36q-wqhv

Timeline:

2026-03-13: Vulnerability discovered and reported

2026-03-13: Vulnerability analyzed by GlobaLeaks

2026-03-14: Fix developed and internally validated by GlobaLeaks

2026-03-18: CVE requested by GlobaLeaks

2026-03-19: Remediation released in version 5.0.89 by GlobaLeaks

2026-03-19: Advisory publication scheduled by GlobaLeaks

2026-03-27: Public advisory published by GlobaLeaks