CVE-2026-35482
8.0 HIGHalf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups
Published: 2026-06-02 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 8.0 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-863
Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the server. The extension system is intended to execute restricted JavaScript in a sandboxed Rhino environment; however, a combination of an unguarded injected Java object (`returnClass`) and an incomplete AST blocklist allows the sandbox to be fully escaped using Java reflection without triggering any validation errors. Version 2.0-M5-2606 patches the issue.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-47238 — ClipBucket v5 is an open source video sharing platform (6.5 MEDIUM)
- CVE-2026-53809 — OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to... (3.8 LOW)
- CVE-2026-53808 — OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls t... (6.5 MEDIUM)
- CVE-2026-53807 — OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users... (8.8 HIGH)
- CVE-2026-46519 — mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management (8.8 HIGH)