Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge.
AnalysisAI
Open redirection in Cradle eCommerce login form endpoint allows attackers to redirect authenticated users to arbitrary external URLs via the unvalidated 'returnUrl' parameter, enabling phishing and credential theft attacks. The vulnerability affects the latest demo version and requires user interaction to click a malicious link, but carries low real-world exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a class of flaws where web applications accept user-supplied URLs as parameters without validation or allowlisting. In this case, the Cradle eCommerce login endpoint processes the 'returnUrl' parameter directly in redirect logic, accepting any domain. The application fails to implement URL validation patterns such as destination domain whitelisting, relative-URL enforcement, or hostname verification before performing server-side or client-side redirects. This is a common pattern in authentication flows where post-login redirect URLs improve user experience but create security risks if not carefully validated.
RemediationAI
Apply URL validation to all redirect parameters, specifically the 'returnUrl' field in the login endpoint. Implement one of the following approaches with trade-offs: (1) Allowlist whitelisting - maintain a server-side list of permitted redirect domains; most secure but requires maintenance when legitimate destinations change. (2) Relative URL enforcement - accept only relative paths (e.g., '/dashboard') and reject absolute URLs (e.g., 'https://evil.com'); simplest to implement but restricts cross-domain legitimate redirects. (3) URL parsing and hostname verification - parse the URL and verify the hostname against a known-good list before redirect; moderate complexity. Vendor has not released a specific patch version at time of analysis; contact Cradle support or await an official security update. For demo environments, disable the returnUrl feature entirely if not required for testing, or implement it only in controlled staging environments with restricted external access.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28545
GHSA-m29c-gmm3-c3v9