What is the CVSS score of CVE-2026-33868?

CVE-2026-33868 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.2%.

Which versions of Open Redirect are affected by CVE-2026-33868?

Organizations using Mastodon should be aware of moderate risk from CVE-2026-33868 rated CVSS 4.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2026-33868?

Yes, a public proof-of-concept exploit is available for CVE-2026-33868. Prioritise patching immediately. EPSS: 0.2%.

Open Redirect CVE-2026-33868

EUVD-2026-16783 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-03-27 security-advisories@github.com

Open Redirect

4.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.5.8,4.3.21,4.4.15

EUVD ID Assigned

Mar 27, 2026 - 20:22 euvd

EUVD-2026-16783

Analysis Generated

Mar 27, 2026 - 20:22 vuln.today

CVE Published

Mar 27, 2026 - 20:16 nvd

MEDIUM 4.3

DescriptionGitHub Advisory

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the /web/* route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (%2F) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

AnalysisAI

Mastodon prior to versions 4.5.8, 4.4.15, and 4.3.21 contains an unauthenticated Open Redirect vulnerability in the /web/* route that allows remote attackers to redirect users to arbitrary external domains via specially URL-encoded path segments. An attacker can exploit this to conduct phishing attacks or steal OAuth credentials by crafting malicious links that bypass Rails path normalization through URL-encoded slashes (%2F). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 4.3 is moderate, the attack vector (Network), low complexity, and lack of authentication requirements indicate broad attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious URL containing URL-encoded slashes in the `/web/*` path that, when clicked by a Mastodon user, redirects them to a phishing site mimicking the real Mastodon login page. The victim, believing they are on the legitimate domain, enters their credentials or grants OAuth permissions, which are then captured by the attacker. …
Remediation	Upgrade Mastodon immediately to version 4.5.8, 4.4.15, or 4.3.21 depending on your current release line. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-45566 MEDIUM This Month

6.1 Jun 10

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month

5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2026-33868 vulnerability details – vuln.today

Back

Open Redirect CVE-2026-33868

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code