ZDI 2026-06-11

ZDI-26-358: Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability

CVE-2026-11443

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires user interaction, such as visiting a malicious page or opening a malicious file, to trigger cross-site scripting.

Context

The affected product is Allegra, specifically involving the downloadAttachment functionality. The vulnerability is a cross-site scripting (XSS) authentication bypass that allows remote attackers to execute arbitrary script. User interaction is explicitly required for exploitation. The ZDI assigned a CVSS score of 4.6, indicating a medium severity impact.

Operator considerations

Check: Determine if Allegra instances are deployed and using the downloadAttachment feature.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 4.6. The following CVEs are assigned: CVE-2026-11443.

Read the full advisory on ZDI →