Beveiligingsadviezen › IAIP-2026-001
User input was reflected in outgoing system e-mails. Fixed on the same day.
A hyperlink-injection vulnerability allowed content from the "name", "company" and "phone" fields on public forms to be reflected in outgoing system e-mails. Combined with sub-address aliasing (user+tag@gmail.com), an attacker could use InterAIP.ai's trusted sending infrastructure to deliver phishing links to third parties.
No account takeover or user enumeration was possible. A secondary CRLF header-injection risk in SmtpMailer was also identified and fixed during remediation.
Interne referentie:
INT-206
Our thanks to Ather Iqbal (OSCP, OSWE) of Alpha Inferno Pvt Ltd for the responsible disclosure of this issue. Although this report arrived outside a formal disclosure programme, the technical detail and video PoC were high-quality and helped us remediate quickly.
Heeft u een beveiligingsprobleem op zelixai.ai of in onze widget gevonden? Wij horen het graag. Stuur een e-mail naar security@zelixai.ai met een beschrijving, reproductiestappen en eventuele PoC. Wij bevestigen binnen één werkdag en houden u op de hoogte tot en met de remediation.