BETA · privacy LLMs & voice servers operational · GPU upgrade underway for faster responses · packages may still change Status & Roadmap →
Log in Try free

Security Advisories › IAIP-2026-001

Hyperlink injection in public forms

User input was reflected in outgoing system e-mails. Fixed on the same day.

Advisory ID IAIP-2026-001
Published 2026-04-20
Severity Medium · CVSS 5.3
Status Resolved (deployed)
Reporter Ather Iqbal (OSCP, OSWE) — Alpha Inferno Pvt Ltd
Affected Public signup, register and contact endpoints on interaip.ai
← Back to all advisories

Summary

A hyperlink-injection vulnerability allowed content from the "name", "company" and "phone" fields on public forms to be reflected in outgoing system e-mails. Combined with sub-address aliasing (user+tag@gmail.com), an attacker could use InterAIP.ai's trusted sending infrastructure to deliver phishing links to third parties.

No account takeover or user enumeration was possible. A secondary CRLF header-injection risk in SmtpMailer was also identified and fixed during remediation.

Internal reference: INT-206

Credits

Thanks to Ather Iqbal

Our thanks to Ather Iqbal (OSCP, OSWE) of Alpha Inferno Pvt Ltd for the responsible disclosure of this issue. Although this report arrived outside a formal disclosure programme, the technical detail and video PoC were high-quality and helped us remediate quickly.

← Back to all advisories

Responsible disclosure

Found a security issue on interaip.ai or in our widget? We'd like to hear it. Send an e-mail to security@interaip.ai with a description, reproduction steps and any PoC. We confirm within one business day and keep you informed through remediation.

BETA · platform in active development, packages and prices may change View status & roadmap →