CVE-2026-40255 MEDIUM

CVE-2026-40255: @adonisjs/http-server has an Open Redirect vulnerability

Vendor Adonisjs

Product http-server

Weakness CWE-601 · Open redirect

Published April 16, 2026

Last update April 17, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.

Key dates

02Disclosure timeline

April 16, 2026 CVE published

April 17, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40255 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2026-40255

CWE CWE-601

CVSS 6.1 / MEDIUM

Affected versions

Vendor Adonisjs

Product http-server

Affected >= 8.0.0-next.0, < 8.2.0

Vendor Adonisjs

Product http-server

Affected < 7.8.1

Vendor Adonisjs

Product http-core

Affected < 7.4.0

CVE-2026-40255: @adonisjs/http-server has an Open Redirect vulnerability

01Description

02Disclosure timeline

03References

04Related CVE