Monthly
Open redirect in Redash versions 5.0.2 through 26.3.0 allows unauthenticated attackers to craft a login URL that silently forwards authenticated users to an attacker-controlled external site. The flaw in get_next_path() stripped scheme and netloc from the next parameter but failed to reject or normalize URLs with three or more leading slashes - a pattern browsers interpret as an absolute external reference (e.g., /login?next=////evil.com). No public exploit or CISA KEV listing has been identified at time of analysis, though the bypass technique is trivially reproducible from the advisory's own example.
Password reset token poisoning in the Grav API plugin (grav-plugin-api) before 1.0.4 lets an unauthenticated attacker hijack the account recovery flow by supplying an attacker-controlled host in the admin_base_url field (or Referer/Origin headers) of the POST /api/v1/auth/forgot-password request. Because the reset email's link is built from this unvalidated host, a victim who clicks it leaks a valid, unexpired reset token to the attacker, yielding full account takeover. No public exploit is identified at time of analysis, and it is not in CISA KEV, but VulnCheck's advisory and vendor GHSA-5xc4-j99p-cp4m confirm the flaw and a 1.0.4 fix.
Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.
Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.
Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments.
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.
Open redirect in Snipe-IT prior to 8.6.2 allows unauthenticated attackers to abuse the application as a trusted redirector against authenticated users. The user edit workflow persists the HTTP Referer header - which an attacker can control - into Laravel's session-stored intended URL, then unconditionally honors it via redirect()->intended() when redirect_option=back is submitted by a legitimate user. No public exploit code and no CISA KEV listing have been identified at time of analysis; the vulnerability is a medium-severity phishing-chain enabler rather than a direct system compromise.
Token theft via open redirect in the Authorizer identity server (authorizerdev/authorizer) lets an unauthenticated attacker steal a logged-in victim's OAuth/OIDC tokens. The /authorize endpoint fails to validate the redirect_uri against AllowedOrigins, so with response_type=token or id_token the server appends access_token, id_token, and refresh_token to any attacker-supplied URL via a 302 redirect. Detailed reproduction steps are public in advisory GHSA-h29v-hj44-q8cv, and the required client_id is trivially harvested from the unauthenticated /graphql meta query; no active exploitation is confirmed in CISA KEV at time of analysis.
Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.
Open Redirect via SAML SSO cache poisoning in Nozomi Networks Guardian and CMC allows unauthenticated remote attackers to corrupt the server-side redirect cache for all users by submitting a crafted request to the SAML sign-in endpoint with a malicious redirection parameter. Victims who subsequently initiate SAML Single Sign-On are transparently redirected to attacker-controlled infrastructure, enabling phishing and credential theft. The flaw additionally disrupts legitimate SAML authentication for affected users, introducing an availability dimension beyond the typical Open Redirect threat model. No active exploitation (KEV) or public exploit code has been identified at time of analysis.
Open redirect in Redash versions 5.0.2 through 26.3.0 allows unauthenticated attackers to craft a login URL that silently forwards authenticated users to an attacker-controlled external site. The flaw in get_next_path() stripped scheme and netloc from the next parameter but failed to reject or normalize URLs with three or more leading slashes - a pattern browsers interpret as an absolute external reference (e.g., /login?next=////evil.com). No public exploit or CISA KEV listing has been identified at time of analysis, though the bypass technique is trivially reproducible from the advisory's own example.
Password reset token poisoning in the Grav API plugin (grav-plugin-api) before 1.0.4 lets an unauthenticated attacker hijack the account recovery flow by supplying an attacker-controlled host in the admin_base_url field (or Referer/Origin headers) of the POST /api/v1/auth/forgot-password request. Because the reset email's link is built from this unvalidated host, a victim who clicks it leaks a valid, unexpired reset token to the attacker, yielding full account takeover. No public exploit is identified at time of analysis, and it is not in CISA KEV, but VulnCheck's advisory and vendor GHSA-5xc4-j99p-cp4m confirm the flaw and a 1.0.4 fix.
Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.
Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.
Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments.
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.
Open redirect in Snipe-IT prior to 8.6.2 allows unauthenticated attackers to abuse the application as a trusted redirector against authenticated users. The user edit workflow persists the HTTP Referer header - which an attacker can control - into Laravel's session-stored intended URL, then unconditionally honors it via redirect()->intended() when redirect_option=back is submitted by a legitimate user. No public exploit code and no CISA KEV listing have been identified at time of analysis; the vulnerability is a medium-severity phishing-chain enabler rather than a direct system compromise.
Token theft via open redirect in the Authorizer identity server (authorizerdev/authorizer) lets an unauthenticated attacker steal a logged-in victim's OAuth/OIDC tokens. The /authorize endpoint fails to validate the redirect_uri against AllowedOrigins, so with response_type=token or id_token the server appends access_token, id_token, and refresh_token to any attacker-supplied URL via a 302 redirect. Detailed reproduction steps are public in advisory GHSA-h29v-hj44-q8cv, and the required client_id is trivially harvested from the unauthenticated /graphql meta query; no active exploitation is confirmed in CISA KEV at time of analysis.
Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.
Open Redirect via SAML SSO cache poisoning in Nozomi Networks Guardian and CMC allows unauthenticated remote attackers to corrupt the server-side redirect cache for all users by submitting a crafted request to the SAML sign-in endpoint with a malicious redirection parameter. Victims who subsequently initiate SAML Single Sign-On are transparently redirected to attacker-controlled infrastructure, enabling phishing and credential theft. The flaw additionally disrupts legitimate SAML authentication for affected users, introducing an availability dimension beyond the typical Open Redirect threat model. No active exploitation (KEV) or public exploit code has been identified at time of analysis.