Skip to main content

Open Redirect CVE-2026-21879

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-01-08 security-advisories@github.com
Open Redirect Kanboard
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 20, 2026 - 18:15 vuln.today
Public exploit code
Patch released
Jan 20, 2026 - 18:15 nvd
Patch available
CVE Published
Jan 08, 2026 - 02:15 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.

AnalysisAI

Open redirect vulnerability in Kanboard versions 1.2.48 and below allows attackers to bypass URL validation and redirect authenticated users to malicious websites through specially crafted URLs. Public exploit code exists for this vulnerability, which can be leveraged for phishing attacks and credential theft. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment CVSS 4.7 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker (requires authentication) could exploit this vulnerability to redirect authenticated users to attacker-controlled websites.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM
6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
CVE-2026-45566 MEDIUM
6.1 Jun 10

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent
CVE-2026-50089 MEDIUM
6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
CVE-2026-10837 MEDIUM
5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM
5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

Share

CVE-2026-21879 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy