Back to overview

CVE-2026-54893

LOW
2.1
CVSS 4.0
Description
URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation. In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected. This issue affects swoosh from 1.12.0 before 1.26.3.

Metadata

CVE ID
CVE-2026-54893
State
PUBLISHED
Assigner
EEF
Reserved
2026-06-16 10:47 UTC
Published
2026-07-06 14:04 UTC
Last updated
2026-07-06 14:04 UTC
Primary CWE
CWE-116
CWE-116 Improper Encoding or Escaping of Output
Vendor / Product
swoosh / swoosh
Sources
cve.org  ·  NVD

Severity & Metrics

2.1 LOW CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products (2)
VendorProductPlatformVersions
swoosh swoosh 1.12.0 < 1.26.3
swoosh swoosh 23bfcdab71aee4613858ba6d116bb3311b72aa58 < e38235453e81d1727bfc8d91e69ec4cb211ccf61
Weakness (CWE)
CWESourceDescription
CWE-116 cna CWE-116 Improper Encoding or Escaping of Output
CVSS scores (1)
ScoreSeverityVersionSourceVector
2.1 LOW 4.0 cna CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Back to overview