CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-8882-frvv-92w4: @asymmetric-effort/specifyjs: URL parse failure silently allows request

highCVE-2026-50288
Finding Location: core/src/shared/secure-fetch.ts:42-45 When new URL() throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation. Status Fixed in v0.2.136 — The catch block now throws an error instead of silently returning.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-8882-frvv-92w4

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50288coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories