Open Redirect
CVE-2026-33885
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.
Patches
This has been fixed in 5.73.16 and 6.7.2.
AnalysisAI
Statamic CMS versions prior to 5.73.16 and 6.7.2 contain an open redirect vulnerability in external URL detection logic that protects unauthenticated endpoints. Unauthenticated remote attackers can exploit insufficient redirect validation to bypass security controls and redirect users to attacker-controlled external URLs following form submissions or authentication workflows, potentially facilitating phishing, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability exists in Statamic CMS's redirect validation mechanism (pkg:composer/statamic_cms) which is designed to prevent open redirects on unauthenticated endpoints. The root cause is classified as CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a common web security weakness where insufficient validation of redirect targets allows attackers to craft malicious URLs. The external URL detection function fails to properly sanitize or validate user-supplied redirect parameters before passing them to redirect operations, particularly in contexts following form submissions and authentication flows. This affects both major version lines: 5.x (prior to 5.73.16) and 6.x (prior to 6.7.2), indicating the flaw existed across multiple release branches of the Composer package.
RemediationAI
Upgrade Statamic CMS to version 5.73.16 (for 5.x branch) or version 6.7.2 (for 6.x branch) immediately. See the official security advisory at https://github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r for detailed upgrade instructions. Until patching is possible, implement defense-in-depth controls: enforce strict Content-Security-Policy headers to restrict redirect targets to internal origins only, log and monitor redirect parameters on unauthenticated endpoints for suspicious patterns, and educate users to verify URL domains before submitting authentication forms. Web application firewall rules blocking redirect parameters pointing to external domains may provide temporary mitigation, though patch deployment is the authoritative fix.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today