CVE-2026-33506
Ory Polis (formerly BoxyHQ Jackson) contains a DOM-based XSS in its login flow prior to version 26.2.0 . The vulnerability stems from trusting a URL parameter callbackUrl that is passed to router.push, allowing an attacker to lure a user into opening a malicious link, which triggers a client-side...