CVE-2026-44372
MEDIUM WAF: Medium
CVSS 6.1
Published: 2026-05-13
CWE-601
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| nitro | nitro | up to 2.13.4 |
| nitro | nitro | up to 3.0.260429 |
References
- github.com (Issue Tracking, Patch)
- github.com (Release Notes)
- github.com (Release Notes)
- github.com (Vendor Advisory)