Analyst readout for executives and security teams
Plain-English summary
Teable sign-up login pages in versions up to 1.9.x can mishandle a redirect parameter, allowing cross-site scripting when a user is induced to follow a crafted login flow. The issue is remotely reachable but requires user interaction. The vendor says the redirect validation has been fixed in the named 2026-04-21 release.
Executive priority
Treat this as a near-term patching item, not an emergency unless Teable login is exposed to untrusted users at scale. Public exploit availability raises urgency, but the provided evidence indicates medium severity, user interaction, and no confirmed active exploitation.
Technical view
CVE-2026-9566 affects apps/nextjs-app/src/features/auth/pages/LoginPage.tsx in Teable. Manipulating the redirect argument can lead to DOM-based cross-site scripting and open redirect behavior. CVSS 4.0 is 5.3 with network attack vector, low complexity, no privileges, and required user interaction. The fix validates redirect paths with isValidRedirectPath() before navigation.
Likely exposure
Exposure is most likely for internet-accessible or user-facing Teable deployments running versions 1.0 through 1.9.x, especially where sign-up or login routes are reachable by untrusted users. The source bundle names the fixed release as release.2026-04-21T08-57-20Z.1513.
Exploitation context
The sources say the attack can be carried out remotely and that exploit material is publicly available. KEV status is false, and the provided sources do not confirm active exploitation in the wild. The CVSS vector requires user interaction, so practical impact depends on phishing or crafted-link exposure.
Researcher notes
There is a source inconsistency: the affected version list includes the named release, while the description and vendor statement identify that release as fixed. Prioritize the vendor statement and patch reference, and verify exact package or image provenance in the local environment.
Mitigation direction
- Upgrade Teable to release.2026-04-21T08-57-20Z.1513 or later.
- Confirm login redirects validate with isValidRedirectPath() before navigation.
- Review vendor release notes and advisories for deployment-specific guidance.
- Reduce exposure of sign-up/login routes where business requirements allow.
- Monitor for suspicious login redirects until patching is complete.
Validation and detection
- Inventory Teable instances and record exact deployed versions.
- Check whether public login and sign-up routes are internet-accessible.
- Verify the patched redirect validation exists in deployed LoginPage.tsx code.
- Review logs for unusual redirect parameter usage around login flows.
- Run authorized regression tests for login redirects after upgrading.
Public sources used
- CVE Program
- CVE List V5
- VDB-365628 | teableio teable Sign-up LoginPage.tsx cross site scripting
- Submit #815798 | Teable < release.2026-04-21T08-57-20Z.1513 DOM-Based XSS, Open Redirect
- Public exploit reference
- Teable pull request #2827
- Teable release release.2026-04-21T08-57-20Z.1513
- Teable repository
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-94: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9566 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P — — VulDB AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C 10 2.9 VulDB CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C 2.8 1.4 VulDB CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C 2.8 1.4 VulDB Vulnerability scoring details
Base CVSS 4.0 score
5.3 MediumVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
4.3 MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Base CVSS 3.0 score
4.3 MediumVector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Base CVSS 2.0 score
5 MediumVector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365628 | teableio teable Sign-up LoginPage.tsx cross site scripting CVE reference, VulDB · vdb-entry, technical-description
- VDB-365628 | CTI Indicators (IOB, IOC, TTP, IOA) CVE reference, VulDB · signature, permissions-required
- Submit #815798 | Teable < release.2026-04-21T08-57-20Z.1513 DOM-Based XSS, Open Redirect CVE reference, VulDB · third-party-advisory
- https://gist.github.com/TrebledJ/98575dc5aecb47433f02ff942e6aedf1 CVE reference, VulDB · exploit
- https://github.com/Teableio/Teable/pull/2827 CVE reference, VulDB · issue-tracking, patch
- https://github.com/teableio/teable/releases/tag/release.2026-04-21T08-57-20Z.1513 CVE reference, VulDB · patch
- https://github.com/Teableio/Teable/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation
Improper Neutralization of Input During Web Page Generation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.