Skip to main content

Open Redirect

1478 CVEs product

Monthly

CVE-2026-52881 PHP CRITICAL PATCH GHSA Act Now

Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.

Open Redirect PHP XSS
NVD GitHub
CVE-2026-52847 PHP CRITICAL PATCH GHSA Act Now

Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Open Redirect PHP XSS
NVD GitHub
CVE-2026-33213 MEDIUM This Month

Open redirect in Redash versions 5.0.2 through 26.3.0 allows unauthenticated attackers to craft a login URL that silently forwards authenticated users to an attacker-controlled external site. The flaw in get_next_path() stripped scheme and netloc from the next parameter but failed to reject or normalize URLs with three or more leading slashes - a pattern browsers interpret as an absolute external reference (e.g., /login?next=////evil.com). No public exploit or CISA KEV listing has been identified at time of analysis, though the bypass technique is trivially reproducible from the advisory's own example.

Open Redirect Redash
NVD GitHub
CVSS 3.1
6.1
CVE-2026-61451 CRITICAL PATCH Act Now

Password reset token poisoning in the Grav API plugin (grav-plugin-api) before 1.0.4 lets an unauthenticated attacker hijack the account recovery flow by supplying an attacker-controlled host in the admin_base_url field (or Referer/Origin headers) of the POST /api/v1/auth/forgot-password request. Because the reset email's link is built from this unvalidated host, a victim who clicks it leaks a valid, unexpired reset token to the attacker, yielding full account takeover. No public exploit is identified at time of analysis, and it is not in CISA KEV, but VulnCheck's advisory and vendor GHSA-5xc4-j99p-cp4m confirm the flaw and a 1.0.4 fix.

Open Redirect Grav
NVD GitHub
CVSS 4.0
9.4
CVE-2026-48000 MEDIUM This Month

Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.

Open Redirect Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2026-14902 MEDIUM This Month

Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.

Open Redirect Ivanti Xtraction
NVD
CVSS 3.1
4.0
EPSS
0.5%
CVE-2026-44745 HIGH PATCH This Week

Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments.

SAP Authentication Bypass Open Redirect Sap Approuter
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55806 PHP MEDIUM PATCH This Month

Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.

Open Redirect Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-55461 MEDIUM PATCH This Month

Open redirect in Snipe-IT prior to 8.6.2 allows unauthenticated attackers to abuse the application as a trusted redirector against authenticated users. The user edit workflow persists the HTTP Referer header - which an attacker can control - into Laravel's session-stored intended URL, then unconditionally honors it via redirect()->intended() when redirect_option=back is submitted by a legitimate user. No public exploit code and no CISA KEV listing have been identified at time of analysis; the vulnerability is a medium-severity phishing-chain enabler rather than a direct system compromise.

Open Redirect Snipe It
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-54072 Go CRITICAL PATCH GHSA Act Now

Token theft via open redirect in the Authorizer identity server (authorizerdev/authorizer) lets an unauthenticated attacker steal a logged-in victim's OAuth/OIDC tokens. The /authorize endpoint fails to validate the redirect_uri against AllowedOrigins, so with response_type=token or id_token the server appends access_token, id_token, and refresh_token to any attacker-supplied URL via a 302 redirect. Detailed reproduction steps are public in advisory GHSA-h29v-hj44-q8cv, and the required client_id is trivially harvested from the unauthenticated /graphql meta query; no active exploitation is confirmed in CISA KEV at time of analysis.

Open Redirect
NVD GitHub
CVSS 3.1
9.3
CVE-2026-56354 npm MEDIUM PATCH This Month

Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Open Redirect N8n
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-55252 Go MEDIUM POC PATCH GHSA This Month

Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.

Google Apple Open Redirect Microsoft Mozilla
NVD GitHub
CVE-2026-31982 MEDIUM PATCH This Month

Open Redirect via SAML SSO cache poisoning in Nozomi Networks Guardian and CMC allows unauthenticated remote attackers to corrupt the server-side redirect cache for all users by submitting a crafted request to the SAML sign-in endpoint with a malicious redirection parameter. Victims who subsequently initiate SAML Single Sign-On are transparently redirected to attacker-controlled infrastructure, enabling phishing and credential theft. The flaw additionally disrupts legitimate SAML authentication for affected users, introducing an availability dimension beyond the typical Open Redirect threat model. No active exploitation (KEV) or public exploit code has been identified at time of analysis.

Open Redirect Guardian Cmc
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-31981 MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (N2OS) allows authenticated administrators to embed malicious HTML into configuration data rendered in the Diagram tab and Graph view, enabling phishing and open redirect attacks against other authenticated users who view the affected pages. The vulnerability originates from a shared input validation function applied across multiple input vectors in N2OS that is insufficiently restrictive, permitting certain HTML tags to persist. Full XSS exploitation and direct information disclosure are explicitly constrained by existing input validation and a Content Security Policy, limiting realistic attacker impact to social engineering vectors. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

XSS Open Redirect Information Disclosure Guardian Cmc
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-49456 npm LOW PATCH GHSA Monitor

Open redirect in waku's `unstable_redirect()` server-side router helper allows a network attacker to redirect victims' browsers to arbitrary external domains - including phishing sites for credential harvesting and OAuth token theft - by injecting a malicious `location` string into any waku route that passes user-controlled query parameters to the function. The vulnerability affects waku 1.0.0-beta.0 across all supported runtime adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno), as the reflection path in `handler.ts` is shared. A dynamic proof-of-concept was confirmed by the reporter in two independent Docker-based runs against commit 8e9f542; no vendor-released patch is confirmed at time of analysis, though a v1.0.0-beta.1 release tag appears in advisory references.

Node.js Open Redirect Docker
NVD GitHub
CVSS 3.1
3.1
CVE-2026-59806 MEDIUM PATCH This Month

Open redirect and client-side SSRF in Gradio before 6.20.0 expose cloud infrastructure credentials to network attackers via the /gradio_api/file= endpoint. The file_fetch() function accepts unvalidated HTTP/HTTPS URLs from attacker-controlled FileData responses, enabling redirection of victim browsers to arbitrary destinations including cloud metadata services such as the EC2 instance metadata endpoint (169.254.169.254). Successful exploitation in cloud-hosted Gradio deployments allows retrieval of IAM role credentials, achieving high subsequent-system confidentiality impact. No public exploit or CISA KEV listing is identified at time of analysis; a fix is available in version 6.20.0.

SSRF Open Redirect
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.2%
CVE-2026-54724 PyPI MEDIUM GHSA This Month

Open redirect in Kiwi TCMS's account confirmation endpoint allows unauthenticated remote attackers to craft URLs hosted on a legitimate organizational Kiwi TCMS instance that silently redirect victims to arbitrary external domains. All deployments running versions prior to v16.1 are affected, with no authentication required from the attacker - only a victim click. The primary threat is high-trust phishing: because the malicious link originates from the organization's own hostname, it bypasses email security filters and link-reputation checks, enabling convincing credential-harvesting or malware delivery campaigns targeting engineering and QA staff. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Open Redirect
NVD GitHub
CVSS 3.1
6.1
CVE-2026-53935 Go MEDIUM PATCH GHSA This Month

Traffic hijacking in Cilium's CiliumLocalRedirectPolicy (CLRP) mechanism allows a cluster user with RBAC permission to create CLRPs to specify arbitrary ClusterIPs via the addressMatcher field, redirecting service traffic across namespace boundaries and circumventing the namespace-scoping guarantees that serviceMatcher is designed to enforce. Affected versions span Cilium v1.17 (all prior to v1.17.16), v1.18.2-v1.18.9, and v1.19.0-v1.19.3. A compounding secondary behavior causes complete service translation failure when a maliciously crafted CLRP is deleted, enabling a denial-of-service condition against any targeted Service. No public exploit has been identified at time of analysis, and exploitation is constrained to users holding elevated cluster RBAC privileges; this is not confirmed actively exploited (CISA KEV).

Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.3%
CVE-2026-14632 LOW POC PATCH Monitor

Open redirect in kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows remote attackers to manipulate the href argument of the setReferrer() function in the Trusted Backend Interface, redirecting users to arbitrary attacker-controlled URLs. A publicly available proof-of-concept exploit exists (CVSS 4.0 E:P), lowering the exploitation barrier for phishing and credential harvesting campaigns. This vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

Open Redirect PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-41106 CRITICAL PATCH NEWS NO ACTION HOSTED Monitor

Privilege elevation in Microsoft 365 Copilot arises from an open redirect (CWE-601) that lets an unauthenticated remote attacker craft a Copilot-hosted URL that forwards a victim to an attacker-controlled site. Per the CVSS vector this requires the victim to interact (UI:R) with the malicious link and results in a scope change with high confidentiality and integrity impact, consistent with token/credential capture enabling elevated access. There is no public exploit identified at time of analysis (Exploit Maturity: Unproven), and it is not listed in CISA KEV; Microsoft rates it 9.3 and reports an official fix is available.

Open Redirect Microsoft 365 Copilot
NVD VulDB
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-50192 Go MEDIUM POC PATCH GHSA This Month

{}` that carries no `CheckRedirect` policy. Because Go's `net/http` strips only the standard `Authorization`, `Cookie`, and `WWW-Authenticate` headers on cross-host redirects - not arbitrary custom headers - any 30x redirect issued by the configured `HubURI` causes both keys to be forwarded verbatim to the redirect destination. A proof-of-concept confirming the leak has been provided by the reporter; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Information Disclosure
NVD GitHub
CVE-2026-49826 Go LOW PATCH GHSA Monitor

Open redirect in Concourse's web login flow allows a remote unauthenticated attacker to craft a URL that silently redirects an authenticated user to an arbitrary external site upon completing the login process. Concourse versions prior to 8.2.3 are affected via the `/sky/login` endpoint's `redirect_uri` parameter. While no credentials are leaked server-side, the post-login redirect to an attacker-controlled site creates a high-fidelity phishing vector targeting CI/CD operators and developers - users who typically hold sensitive pipeline secrets and source-code access. No public exploit identified at time of analysis, though the advisory provides a fully working proof-of-concept URL.

Open Redirect
NVD GitHub
CVE-2026-58520 MEDIUM PATCH This Month

Open redirect exploitation in the Wikimedia Foundation MediaWiki UrlShortener Extension enables unauthenticated network attackers to craft shortened URLs hosted on trusted MediaWiki domains that silently redirect victims to arbitrary external sites, facilitating phishing and Cross-Site Flashing attacks. All versions of the extension prior to 1.43.9, 1.44.6, and 1.45.4 across their respective branches are affected. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the unauthenticated and network-accessible nature of URL shortener services makes social-engineering abuse low-effort once a target instance is identified.

Open Redirect Mediawiki Urlshortener Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-58450 MEDIUM POC This Month

Open redirect in Invoice Ninja's client portal login (through version 5.13.26) enables unauthenticated attackers to craft login URLs that transparently redirect authenticated victims to attacker-controlled external sites after they complete a legitimate login. The vulnerability stems from the `intended` query parameter being stored in the session without host validation, then emitted verbatim by the `ContactLoginController::authenticated()` handler post-login, making it a reliable phishing vector against Invoice Ninja clients. A publicly available proof-of-concept exists; no CISA KEV listing is present at time of analysis.

Open Redirect Invoiceninja
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-10562 MEDIUM PATCH This Month

Open redirect in the TP-Link Archer AX20 V2 embedded web server allows unauthenticated attackers to craft URLs containing URL-encoded path traversal sequences that cause the device to issue HTTP 3xx redirects toward attacker-controlled external domains. All firmware versions through 2.1.9 Build 20230829 on the V2.0 hardware revision are confirmed affected per TP-Link's own advisory and CPE data. No public exploit identified at time of analysis, and a vendor-released patch is available; active exploitation has not been confirmed by CISA KEV.

Path Traversal Open Redirect Archer Ax20 V2 0
NVD
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-49820 Go MEDIUM PATCH GHSA This Month

Open redirect in Probo's saferedirect package allows unauthenticated remote attackers to bypass same-origin URL validation across all authentication flows - OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. A crafted URL such as /../\evil.com passes the flawed second-character check, and Go's http.Redirect normalizer collapses it to /\evil.com before setting the Location header; browsers then interpret the backslash as a host separator and navigate victims to an attacker-controlled domain. No public exploit is identified at time of analysis and the CVE carries no CISA KEV listing, but the authentication-flow context makes this a credible, high-value phishing vector. Self-hosted deployments must upgrade to probod v0.194.1.

Open Redirect
NVD GitHub
CVSS 3.1
4.7
CVE-2026-13163 MEDIUM PATCH This Month

Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.

Open Redirect Mailerup
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-52802 Go MEDIUM PATCH GHSA This Month

Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the `IsSameSite()` function: the path `/a/../\example.com` passes server-side inspection but resolves to `//example.com` after browsers normalize backslashes to forward slashes. A publicly available proof-of-concept with screenshots exists; this vulnerability is not in CISA KEV and active exploitation has not been confirmed at time of analysis.

Open Redirect Path Traversal
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2026-50132 npm HIGH PATCH GHSA This Week

Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.

Open Redirect Redis Authentication Bypass CSRF
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-56697 npm MEDIUM PATCH This Month

Open redirect in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 allows remote unauthenticated attackers to redirect victims to arbitrary external hosts by supplying protocol-relative paths such as `//evil.com` to the `reloadNuxtApp` composable. The function's only security gate checks whether the resolved URL's scheme is a script protocol; protocol-relative paths inherit the page's own scheme (`https:`), pass that check, and are then written directly to `window.location.href`. The practical consequence is phishing and OAuth authorization-code theft on any application that forwards user-controlled input into `reloadNuxtApp`. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the GHSA advisory notes this is part of a broader cluster of three URL-handling weaknesses in Nuxt's navigation APIs.

Open Redirect Nuxt
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56326 npm MEDIUM PATCH This Month

Server-side open redirect in Nuxt's `navigateTo` composable allows unauthenticated network attackers to bypass external-host checks by submitting path-normalized payloads such as `/..//evil.com` or `/.//evil.com`, which WHATWG URL parsing resolves to the protocol-relative URL `//evil.com`. Affected versions are Nuxt 4.0.0-4.4.6 and all 3.x releases before 3.21.7. Because Nuxt documentation presents `navigateTo` as the safe, built-in mechanism for post-login redirects, applications commonly pass unvalidated user-supplied redirect parameters directly to it - making OAuth authorization-code theft and phishing the principal real-world risks. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV.

Open Redirect Nuxt
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12863 MEDIUM This Month

Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legitimate event platform instances. Any Venueless deployment with social login enabled is affected across all tracked versions (CPE wildcard), and an attacker can craft a social login URL embedding an arbitrary external redirect destination that executes silently after a victim completes OAuth authentication. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and authentication-flow context make this a credible phishing vector against event attendees and organizers.

Open Redirect Venueless
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-12804 LOW Monitor

Open redirect in LemonLDAP::NG versions up to and including 2.23.0 allows unauthenticated remote attackers to manipulate the `url` argument within the SAML Common Domain Cookie (CDC) endpoint, causing authenticated SSO users to be silently forwarded to arbitrary attacker-controlled domains. The SSO context makes this particularly high-consequence for phishing: victims trust the identity provider's domain, lowering suspicion of the crafted redirect URL. Publicly available exploit code exists (CVSS 4.0 E:P); no vendor patch has been confirmed, as the vendor was unresponsive to responsible disclosure by VulDB.

Open Redirect Lemonldap Ng
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-56332 MEDIUM PATCH This Month

Open redirect in Capgo's confirm-signup endpoint (all versions before 12.128.2) enables unauthenticated remote attackers to craft account confirmation links that silently redirect victims to arbitrary attacker-controlled websites. The unvalidated `confirmation_url` parameter in the confirm-signup flow accepts any external URL without domain allowlisting or sanitization, making legitimate Capgo-sending domains a trusted launchpad for phishing and credential harvesting. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering amplification risk is significant given the trusted-email-domain context.

Open Redirect Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56330 MEDIUM PATCH This Month

Open redirect in Capgo's Stripe billing endpoints (stripe_portal and stripe_checkout) allows authenticated attackers to manipulate the callbackUrl, successUrl, and cancelUrl parameters to silently redirect users to attacker-controlled phishing domains after billing interactions. All Capgo releases before 12.128.2 are affected per vendor advisory GHSA-grc7-98pf-h8hq. Exploitation requires a valid Capgo account (CVSS PR:L) and victim interaction (UI:A), and no public exploit or CISA KEV listing exists at time of analysis; however, the Stripe payment context lends phishing lures unusual credibility, elevating realistic social-engineering risk above what the medium CVSS score alone implies.

Open Redirect Capgo
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-47645 HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-601) to coerce a victim into following a crafted link that lands on an attacker-controlled site. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation lets an unauthorized remote attacker elevate privileges over the network after user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Open Redirect 365 Copilot
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-55185 Go MEDIUM PATCH GHSA This Month

Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.

Microsoft Apple CSRF Open Redirect Mozilla +1
NVD GitHub
CVE-2026-12622 MEDIUM This Month

Open redirect in Microchip's GridTime 3000 GNSS Time Server allows authenticated low-privilege users to manipulate the post-submission redirect destination of the password change form, enabling phishing and credential harvesting attacks against administrators. All firmware versions from 1.0r0.03 through 1.1r0.0 are confirmed affected per vendor self-disclosure. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.

Open Redirect Gridtime 3000
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-48895 LOW Monitor

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. No public exploit code or CISA KEV listing exists at time of analysis; the Apache Software Foundation has released a vendor-confirmed fix in version 3.17.0.

Apache Open Redirect Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-44915 LOW Monitor

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used in its default configuration. Affected are all APISIX deployments running versions 3.0.0 through 3.16.0 with cas-auth enabled. An unauthenticated remote attacker can craft a malicious CAS authentication URL that redirects victims to an attacker-controlled site, enabling session hijacking or credential harvesting. No public exploit or KEV listing is recorded at time of analysis, and the CVSS 4.0 base score of 2.1 reflects the attacker's dependence on user interaction and the absence of direct system-level impact.

Apache Open Redirect Apache Apisix
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-12049 MEDIUM PATCH This Month

Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authentication flow as a phishing launchpad. Affected versions 6.0 through 9.15 pass the user-supplied 'next' query and form parameter directly to Flask's redirect response without verifying the target is same-origin, meaning a crafted URL such as /mfa/validate?next=https://attacker.example/fake-login silently forwards the victim from a trusted pgAdmin URL to an attacker-controlled site. No public exploit is identified at time of analysis and this CVE is not listed in CISA KEV; however, a reporter-supplied PoC was confirmed by the vendor and is documented in the upstream regression test suite.

Open Redirect Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-55590 PHP MEDIUM PATCH GHSA This Month

Open redirect in CakePHP Authentication's `getLoginRedirect()` method exposes users of affected applications to attacker-controlled redirects via backslash character bypass of hostname validation logic. Applications running `cakephp/authentication` below 3.3.6 (3.x branch) or between 4.0.0 and 4.1.1 (4.x branch) are vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis, though the backslash bypass technique is well-understood and lowers the bar for exploitation against unpatched deployments.

Open Redirect
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.6%
CVE-2026-25779 Go MEDIUM PATCH GHSA This Month

Open redirect in Gitea's login flow allows external domain hijacking by bypassing the `urlIsRelative` validation in `modules/httplib/url.go` through a combination of directory traversal sequences and a backslash in the `redirect_to` parameter. All Gitea instances running version 1.25.4 and below are affected; a working proof-of-concept is publicly available in the GitHub Security Advisory. Exploitation enables phishing via trusted Gitea domains, OAuth/SSO authorization code theft, Referer-header leakage of sensitive parameters, and potential cache poisoning — no public exploit identified as confirmed actively exploited (CISA KEV absent).

Gitea Path Traversal Open Redirect
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-9679 npm MEDIUM PATCH GHSA This Month

HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to session fixation, open redirect, and cache poisoning. The `parseSetCookie`, `parseCookie`, and `getSetCookies` functions incorrectly percent-decode cookie values using `qsUnescape`, converting encoded sequences such as `%0D%0A` into literal CRLF bytes in violation of RFC 6265 §5.4, which prescribes no such decoding. Any application that fetches from an attacker-controlled upstream and forwards the parsed cookie value into a downstream response header is exploitable; no public exploit has been identified at time of analysis, and patched releases v6.26.0, v7.28.0, and v8.5.0 are available.

Open Redirect Undici Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-20178 MEDIUM This Month

Open redirect in the browser-based Cisco Webex App allowed unauthenticated remote attackers to redirect users to attacker-controlled websites by crafting malicious URLs with manipulated parameters. The vulnerability (CWE-601) stems from improper input validation of URL parameters in HTTP requests and scores CVSS 4.3 Medium (AV:N/AC:L/PR:N/UI:R). Cisco has fully remediated this server-side with no customer action required; no public exploit or CISA KEV listing exists at time of analysis.

Cisco Open Redirect Cisco Webex App
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-32748 MEDIUM This Month

Host Header Injection in Dell PowerFlex Rack RCM 3.7 enables unauthenticated remote attackers to trigger open redirects by supplying a forged HTTP Host header, potentially redirecting victim users to attacker-controlled sites for phishing or credential harvesting. The CVSS 4.3 Medium score reflects the requirement for user interaction (UI:R) and limited confidentiality impact, with no integrity or availability consequence. No public exploit code has been identified at time of analysis, and the vulnerability has no CISA KEV listing.

Dell Open Redirect Powerflex Rack
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-10839 MEDIUM PATCH This Month

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to manipulate the X-Forwarded-Host HTTP header to redirect authenticated users to attacker-controlled sites immediately following login or interface interaction. The vulnerability is particularly hazardous in the context of a credential store application, where a convincing post-login redirect to a cloned phishing interface could yield an attacker's full access to a victim's stored password vault. No public exploit code has been identified at time of analysis, and a vendor-released patch is available per the INCIBE advisory.

Open Redirect Password Manager
NVD
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-10837 MEDIUM PATCH This Month

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP header before using it to construct redirect URLs. Unauthenticated remote attackers can craft malicious links that, when clicked by a victim, silently redirect them to an attacker-controlled domain - a particularly dangerous vector given that the target application manages credentials. Reported by INCIBE, a vendor patch is available; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Open Redirect Password Manager
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-46894 HIGH This Week

Account takeover in Oracle iSupplier Portal (E-Business Suite versions 12.2.3-12.2.15) allows a low-privileged remote attacker to fully compromise the application by tricking a separate user into interacting with attacker-supplied content over HTTPS. The Home Page component is the entry point, and successful exploitation yields full confidentiality, integrity, and availability impact on the portal. No public exploit identified at time of analysis, but Oracle's critical patch advisory confirms the issue is real and patchable.

Oracle Oracle Isupplier Portal Open Redirect
NVD VulDB
CVSS 3.1
8.0
EPSS
0.4%
CVE-2026-46806 HIGH This Week

Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content Open Redirect
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-35302 HIGH This Week

Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-35259 HIGH This Week

Full takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 is achievable by remote unauthenticated attackers via the Console component over HTTPS, provided a victim performs an action such as clicking a malicious link. The flaw carries a CVSS 3.1 base score of 8.8 with high impact across confidentiality, integrity, and availability, but exploitation hinges on user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-35258 HIGH This Week

Cross-scope data compromise in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 allows a low-privileged remote attacker over HTTPS to read, create, modify, or delete critical data through the administration Console, provided a separate user is induced to perform an action. The CVSS 3.1 base score of 8.7 reflects high confidentiality and integrity impact with scope change reaching beyond WebLogic itself, and no public exploit identified at time of analysis.

Authentication Bypass Oracle Weblogic Server Open Redirect
NVD VulDB
CVSS 3.1
8.7
EPSS
0.4%
CVE-2026-54276 PyPI MEDIUM PATCH GHSA This Month

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirect targets. Applications using DigestAuthMiddleware with the default follow_redirects behavior are affected in versions up to and including 3.14.0. When a server responds with a cross-origin redirect, the middleware incorrectly computes and sends a digest authentication response to the redirect destination, exposing the auth digest to the third-party domain. No public exploit has been identified at time of analysis, but exploitation is plausible wherever an open redirect exists on the origin server.

Information Disclosure Open Redirect
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-53523 Go MEDIUM POC PATCH GHSA This Month

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. A vendor-released patch exists in version 2.2.0; no public exploit has been identified at time of analysis and the vulnerability is not in the CISA KEV catalog.

Open Redirect Nezha
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-50089 MEDIUM PATCH This Month

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. A public proof-of-concept repository exists on GitHub; no confirmed active exploitation per CISA KEV at time of analysis.

Open Redirect Aqara Iam Sso Gateway
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-45566 MEDIUM This Month

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks `next` parameter values containing `http://` or `https://` substrings but does not account for RFC-3986 userinfo@host syntax; submitting `next=@evil.example/path` causes the server to construct `https://victim.example@evil.example/path`, which modern browsers route to `evil.example`. No public exploit code has been identified at time of analysis, no patch is available, and this vulnerability is not listed in CISA KEV.

Nginx Open Redirect Apache
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-48856 HIGH PATCH This Week

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows attacker-controlled servers to harvest Authorization and Proxy-Authorization headers by issuing cross-origin 3xx redirects. Because httpc_response:redirect/2 only updates the host field and copies all other headers verbatim - and autoredirect defaults to true - any httpc caller using HTTP Basic auth or URL userinfo silently forwards credentials to the redirect target. No public exploit identified at time of analysis, but the fix has been published upstream and tagged in vendor-released OTP patch versions.

Information Disclosure Open Redirect Otp Suse
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-53440 MEDIUM This Month

Open redirect in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) enables unauthenticated remote attackers to craft login URLs with a malicious external domain in the 'from' parameter under the 'Delegate to servlet container' security realm, silently redirecting authenticated users to attacker-controlled sites post-login for phishing purposes. The CVSS vector (PR:N, UI:R) confirms no attacker authentication is needed, but victim interaction is mandatory - the user must click a crafted link and complete a login. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; vendor-released patches are available as of 2026-06-10.

Jenkins Open Redirect Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53437 MEDIUM This Month

Open redirect in Jenkins login flow enables phishing attacks by exploiting improper redirect URL validation. Tab or newline characters injected between `//` in a post-login redirect URL bypass Jenkins' legitimacy check, redirecting authenticated victims to attacker-controlled sites. Affects Jenkins weekly 2.567 and earlier and LTS 2.555.2 and earlier; vendor-released patches are available. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the bypass technique is trivially derivable from the public advisory.

Jenkins Open Redirect
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-53436 MEDIUM This Month

Open redirect exploitation in Jenkins allows unauthenticated network attackers to craft login URLs that bypass the post-authentication redirect validation and forward users to attacker-controlled external sites. Affected are Jenkins weekly releases through 2.567 and LTS releases through 2.555.2, where the redirect URL legitimacy check fails when the URL contains relative path segments such as `./` or `../`. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, placing this in a moderate-risk, phishing-enablement category rather than a direct system compromise class.

Jenkins Open Redirect Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41706 MEDIUM PATCH This Month

Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.

Open Redirect Java Spring Security
NVD HeroDevs VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41008 MEDIUM PATCH This Month

Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Java Spring Authorization Server Spring Security
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-47991 MEDIUM This Month

Open redirect in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) enables network-based attackers to craft malicious URLs that silently redirect victims to attacker-controlled sites, with Adobe's own advisory citing account takeover as the potential outcome. The attack requires no privileges or authentication on the attacker's side (PR:N per CVSS) but depends entirely on a victim clicking a crafted link (UI:R). No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the account takeover potential meaningfully exceeds what the moderate CVSS 4.3 score alone conveys.

Adobe Open Redirect
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-28301 MEDIUM This Month

Open redirect in SolarWinds Observability Self-Hosted enables an authenticated low-privilege attacker on an adjacent network segment to supply a crafted external URL that redirects application traffic or users to an attacker-controlled site. The CVSS vector assigns High confidentiality impact (C:H) despite a medium overall score of 4.8, suggesting the redirect may expose sensitive data - such as session tokens or credentials - to the attacker-controlled destination, rather than being a simple phishing-only vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. SolarWinds has released a patch in the HCO 2026.2 release.

Open Redirect
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-47347 PHP MEDIUM POC PATCH GHSA This Month

Open redirect exploitation in TYPO3 CMS allows unauthenticated remote attackers to bypass the `GeneralUtility::sanitizeLocalUrl` locality check by crafting URLs containing backslash sequences, control characters, or slash-pattern variations that the prior implementation failed to reject, redirecting victims to arbitrary external sites for phishing. All major active TYPO3 branches are affected: versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the bypass patterns are explicitly documented in the upstream fix's own test suite, substantially lowering the bar to reproduction.

Open Redirect
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41844 MEDIUM PATCH This Month

Open redirect in Spring Framework (Spring MVC and Spring WebFlux) across four major version branches enables unauthenticated remote attackers to craft URLs that cause the application to issue a 302 HTTP redirect to an arbitrary attacker-controlled external host. The vulnerability is conditionally exploitable - requiring a catch-all wildcard route mapping without an explicit view name - and demands user interaction to trigger. CVSS rates this 4.2 Medium (AV:N/AC:H/PR:N/UI:R); no public exploit code or CISA KEV listing has been identified at time of analysis.

Open Redirect Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-41479 PyPI MEDIUM PATCH GHSA This Month

Unauthenticated open redirect in Authlib's OAuth 2.0 authorization endpoint allows any remote attacker to weaponize a trusted authorization server domain as a redirector - no client registration, no authenticated session, and no prior state required. The flaw affects all deployments of pip/authlib < 1.6.10 and == 1.7.0 running an authorization endpoint via the Flask or Django integrations. Publicly available exploit code exists and was dynamically confirmed against the live HEAD (v1.6.6-104-g68e6ab3f); no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV status absent), but the trivial, zero-prerequisite exploit path makes phishing and domain-allowlist bypass practical at scale.

Python Open Redirect
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-11502 LOW POC Monitor

Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth `state` parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. Publicly available exploit code exists, but no KEV listing indicates active exploitation campaigns at time of analysis.

Open Redirect Java
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-11477 LOW POC PATCH Monitor

Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated attackers to redirect victims to attacker-controlled URLs by supplying a crafted redirect_uri during OAuth2 authorization flows. The root cause is a naive prefix-based string comparison using startsWith() in OAuth2Client.java, which trivially allows bypass via domain-prefix spoofing (e.g., registering https://app.example.com.attacker.com when the legitimate URI is https://app.example.com). Publicly available exploit code exists per GitHub issue #354 and CVSS E:P; no public exploit identified at time of analysis in CISA KEV, and the CVSS 4.0 score of 2.1 reflects the limited impact and required user interaction.

Open Redirect Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47377 npm MEDIUM PATCH GHSA This Month

Open redirect in NocoDB's client-side hashRedirect plugin allows any attacker to silently send visitors from a legitimate NocoDB origin to an attacker-controlled domain by embedding a protocol-relative path in the URL hash fragment. All NocoDB npm releases prior to 2026.04.1 are affected; the flaw exists in `packages/nc-gui/plugins/hashRedirect.client.ts` where a single `startsWith('/')` check fails to exclude `//attacker.com/...` paths, which browsers resolve as absolute URLs. No public exploit has been identified at time of analysis, but the technique requires zero tooling and no authentication, making phishing campaigns against NocoDB users trivially constructable.

Open Redirect
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-21826 MEDIUM This Month

Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attackers to manipulate HTTP Host headers, causing the application to generate attacker-controlled redirect URLs targeting victims - a classic open redirect primitive (CWE-601) confirmed by the Open Redirect tag. The CVSS 6.1 score reflects Changed scope (S:C), meaning impact crosses beyond the vulnerable component, with low confidentiality and integrity impact consistent with phishing and session-hijacking abuse. No public exploit code or CISA KEV listing has been identified at time of analysis.

Open Redirect
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-48012 PHP MEDIUM PATCH GHSA This Month

Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.

Python Open Redirect
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44889 PyPI MEDIUM PATCH GHSA This Month

Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.

Python Open Redirect Google Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-10861 MEDIUM PATCH This Month

Open redirect in MISP versions up to and including 2.5.38 allows unauthenticated remote attackers to craft links that silently redirect victims to attacker-controlled external URLs immediately after successful authentication. The vulnerability resides in UsersController::routeafterlogin(), where the pre_login_requested_url session value was reflected into a Location header without enforcing local-path constraints. SSVC signals exploitation as 'none' and no CISA KEV listing exists, but the automatable designation and the high-trust context of a threat intelligence platform make this a meaningful phishing amplifier against security teams who would not expect a trusted MISP login to forward them off-site.

Open Redirect Misp
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-10856 MEDIUM PATCH This Month

Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). No public exploit exists and CISA SSVC rates exploitation as none; risk is substantially constrained by the PR:H requirement and the need for a victim to interact with the planted button.

Open Redirect Misp
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-43924 MEDIUM PATCH This Month

Open redirect vulnerability in FOSSBilling's Redirect module (prior to version 0.8.0) allows authenticated administrators to configure arbitrary external URLs as redirect targets without URL scheme validation. Users following a legitimate FOSSBilling link are silently issued a 301 Moved Permanently response to an attacker-controlled phishing site; because 301 responses are persistently cached by browsers, the redirect continues to function even after server-side correction until client caches expire. No public exploit identified at time of analysis; version 0.8.0 (released 2026-05-28) patches the issue.

Open Redirect
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41569 MEDIUM PATCH This Month

Open redirect in authentik's WS-Federation provider (all versions prior to 2026.2.3) allows an unauthenticated attacker to exfiltrate signed authentication assertions to attacker-controlled infrastructure by exploiting a prefix-only wreply URL validation check. Because the POST-based WS-Federation flow delivers a cryptographically signed identity assertion to whatever destination wreply specifies, successful exploitation leaks credential-bearing tokens rather than simply redirecting to a phishing page - elevating impact beyond a typical open redirect. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40181 npm MEDIUM POC PATCH GHSA This Month

Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with `//`, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to `redirect()` without validating the path prefix. No public exploit identified at time of analysis - CVSS 4.0 supplemental metric E:U (Unreported) confirms no known active exploitation - but the technique is trivially constructible from the advisory description alone, and patched releases 7.14.1 and 6.30.4 are available.

Open Redirect Red Hat
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-45278 LOW PATCH Monitor

Open redirect in Nextcloud's user_oidc plugin (versions 6.1.0 through 8.2.1) allows attackers to craft OIDC login links that silently redirect victims to arbitrary external websites upon successful authentication. The root cause is insufficient redirect URL sanitization in LoginController.php - a single regex stripping the protocol and domain could be bypassed using protocol-relative URLs (e.g., //attacker.com), which browsers resolve as full external URLs. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; however, the phishing potential via trusted login flows warrants prompt patching in user-facing Nextcloud deployments.

Open Redirect Nextcloud
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-40861 PyPI MEDIUM PATCH This Month

Arbitrary file read in Apache Airflow's FileTaskHandler allows authenticated users to read files outside the designated log directory by placing symlinks within the log folder tree. Versions prior to 3.2.2 are affected. Because FileTaskHandler._read_from_local() resolved glob matches without first verifying that a symlink's real path stays within the configured base log folder, a low-privileged Airflow user could exfiltrate sensitive server-side files - credentials, keys, or configuration - by directing log reads through a crafted symlink. No public exploit code exists and the vulnerability is not in CISA KEV, though the CVSS C:H rating reflects genuine confidentiality risk.

Open Redirect Apache
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40963 PyPI LOW PATCH Monitor

DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the `/ui/structure/structure_data` endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the `ReadableDagsFilterDep` authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-40961 PyPI HIGH PATCH GHSA This Week

Open redirect bypass in Apache Airflow 3.0.0 through 3.2.1 allows remote unauthenticated attackers to craft URLs that evade the `is_safe_url` host check by using triple-slash (`///`), backslash, or URL-encoded backslash prefixes, redirecting victims to attacker-controlled domains. The flaw stems from a parsing inconsistency between WHATWG URL semantics and Python's urllib. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at only 0.01% (4th percentile).

Open Redirect Apache
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-41014 PyPI MEDIUM PATCH This Month

Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49380 LOW PATCH Monitor

Open redirect in JetBrains TeamCity's SAML authentication plugin (all versions before 2026.1) allows a remote unauthenticated attacker to redirect authenticated users to arbitrary external URLs during the SAML login flow. The vulnerability carries a CVSS 3.1 score of 3.1 (Low), reflecting high attack complexity and mandatory user interaction - limiting realistic exploitation to targeted phishing scenarios against TeamCity users leveraging SAML SSO. No public exploit code exists and no active exploitation has been confirmed.

Open Redirect
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-45307 MEDIUM PATCH This Month

Open redirect in Speakr's post-login redirect handler allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled hosts via scheme-relative URLs such as '////evil.com'. The flaw stems from a logic split between the validation function - which normalizes the redirect target using urljoin() before checking safety - and the controller, which passes the raw, un-normalized target to redirect(), emitting it verbatim in the HTTP Location header. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and phishing utility make this a credible risk for self-hosted deployments.

Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42539 MEDIUM PATCH This Month

Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.

Information Disclosure File Upload Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42329 MEDIUM PATCH This Month

Open redirect in DFIR-IRIS before version 2.4.28 allows unauthenticated remote attackers to craft URLs that silently redirect authenticated users to arbitrary external domains. The CVSS Scope:Changed (S:C) component confirms the vulnerability crosses the application's trust boundary, making it a viable vector for phishing and credential harvesting campaigns targeting incident responders and forensic analysts who use the platform. No public exploit code or active exploitation has been identified at time of analysis, and no CISA KEV listing is present.

File Upload Open Redirect
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-42538 MEDIUM PATCH This Month

Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure File Upload Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-45335 MEDIUM PATCH This Month

Open redirect in WeGIA before version 3.7.3 enables authenticated attackers to weaponize the trusted WeGIA domain for phishing, credential harvesting, and malware distribution by manipulating the unvalidated `nextPage` parameter at the `/WeGIA/controle/control.php` endpoint. Affected deployments include any WeGIA instance running versions prior to 3.7.3 where the control endpoint is accessible to low-privileged authenticated users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering abuse potential against users who trust the institution's domain is the primary real-world risk.

Open Redirect PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CRITICAL PATCH Act Now

Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. There is no public exploit identified at time of analysis, no CISA KEV listing, and no CVSS/EPSS score in the provided data; the issue was reported by watchTowr and fixed in 2.28.4.

Open Redirect PHP XSS
NVD GitHub
CRITICAL PATCH Act Now

Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. The advisory states no authentication is required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Open Redirect PHP XSS
NVD GitHub
CVSS 6.1
MEDIUM This Month

Open redirect in Redash versions 5.0.2 through 26.3.0 allows unauthenticated attackers to craft a login URL that silently forwards authenticated users to an attacker-controlled external site. The flaw in get_next_path() stripped scheme and netloc from the next parameter but failed to reject or normalize URLs with three or more leading slashes - a pattern browsers interpret as an absolute external reference (e.g., /login?next=////evil.com). No public exploit or CISA KEV listing has been identified at time of analysis, though the bypass technique is trivially reproducible from the advisory's own example.

Open Redirect Redash
NVD GitHub
CVSS 9.4
CRITICAL PATCH Act Now

Password reset token poisoning in the Grav API plugin (grav-plugin-api) before 1.0.4 lets an unauthenticated attacker hijack the account recovery flow by supplying an attacker-controlled host in the admin_base_url field (or Referer/Origin headers) of the POST /api/v1/auth/forgot-password request. Because the reset email's link is built from this unvalidated host, a victim who clicks it leaks a valid, unexpired reset token to the attacker, yielding full account takeover. No public exploit is identified at time of analysis, and it is not in CISA KEV, but VulnCheck's advisory and vendor GHSA-5xc4-j99p-cp4m confirm the flaw and a 1.0.4 fix.

Open Redirect Grav
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.

Open Redirect Adobe Adobe Commerce +3
NVD
EPSS 1% CVSS 4.0
MEDIUM This Month

Open redirect in Ivanti Xtraction before 2026.2.1 enables remote unauthenticated attackers to craft URLs that silently forward users to arbitrary external destinations. The vulnerability carries a Scope:Changed rating (S:C) in the CVSS vector, reflecting that the impact extends beyond the vulnerable application to the user's browser environment - a hallmark of effective phishing and credential harvesting campaigns. No public exploit code and no CISA KEV listing exist at time of analysis, and the AC:H metric in the vendor-provided vector suggests exploitation may not be trivially reliable in all configurations.

Open Redirect Ivanti Xtraction
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments.

SAP Authentication Bypass Open Redirect +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.

Open Redirect Drupal Core
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in Snipe-IT prior to 8.6.2 allows unauthenticated attackers to abuse the application as a trusted redirector against authenticated users. The user edit workflow persists the HTTP Referer header - which an attacker can control - into Laravel's session-stored intended URL, then unconditionally honors it via redirect()->intended() when redirect_option=back is submitted by a legitimate user. No public exploit code and no CISA KEV listing have been identified at time of analysis; the vulnerability is a medium-severity phishing-chain enabler rather than a direct system compromise.

Open Redirect Snipe It
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Token theft via open redirect in the Authorizer identity server (authorizerdev/authorizer) lets an unauthenticated attacker steal a logged-in victim's OAuth/OIDC tokens. The /authorize endpoint fails to validate the redirect_uri against AllowedOrigins, so with response_type=token or id_token the server appends access_token, id_token, and refresh_token to any attacker-supplied URL via a 302 redirect. Detailed reproduction steps are public in advisory GHSA-h29v-hj44-q8cv, and the required client_id is trivially harvested from the unauthenticated /graphql meta query; no active exploitation is confirmed in CISA KEV at time of analysis.

Open Redirect
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Open Redirect N8n
NVD GitHub
MEDIUM POC PATCH This Month

Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.

Google Apple Open Redirect +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Open Redirect via SAML SSO cache poisoning in Nozomi Networks Guardian and CMC allows unauthenticated remote attackers to corrupt the server-side redirect cache for all users by submitting a crafted request to the SAML sign-in endpoint with a malicious redirection parameter. Victims who subsequently initiate SAML Single Sign-On are transparently redirected to attacker-controlled infrastructure, enabling phishing and credential theft. The flaw additionally disrupts legitimate SAML authentication for affected users, introducing an availability dimension beyond the typical Open Redirect threat model. No active exploitation (KEV) or public exploit code has been identified at time of analysis.

Open Redirect Guardian Cmc
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored HTML injection in Nozomi Networks Guardian and CMC (N2OS) allows authenticated administrators to embed malicious HTML into configuration data rendered in the Diagram tab and Graph view, enabling phishing and open redirect attacks against other authenticated users who view the affected pages. The vulnerability originates from a shared input validation function applied across multiple input vectors in N2OS that is insufficiently restrictive, permitting certain HTML tags to persist. Full XSS exploitation and direct information disclosure are explicitly constrained by existing input validation and a Content Security Policy, limiting realistic attacker impact to social engineering vectors. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

XSS Open Redirect Information Disclosure +2
NVD VulDB
CVSS 3.1
LOW PATCH Monitor

Open redirect in waku's `unstable_redirect()` server-side router helper allows a network attacker to redirect victims' browsers to arbitrary external domains - including phishing sites for credential harvesting and OAuth token theft - by injecting a malicious `location` string into any waku route that passes user-controlled query parameters to the function. The vulnerability affects waku 1.0.0-beta.0 across all supported runtime adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno), as the reflection path in `handler.ts` is shared. A dynamic proof-of-concept was confirmed by the reporter in two independent Docker-based runs against commit 8e9f542; no vendor-released patch is confirmed at time of analysis, though a v1.0.0-beta.1 release tag appears in advisory references.

Node.js Open Redirect Docker
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Open redirect and client-side SSRF in Gradio before 6.20.0 expose cloud infrastructure credentials to network attackers via the /gradio_api/file= endpoint. The file_fetch() function accepts unvalidated HTTP/HTTPS URLs from attacker-controlled FileData responses, enabling redirection of victim browsers to arbitrary destinations including cloud metadata services such as the EC2 instance metadata endpoint (169.254.169.254). Successful exploitation in cloud-hosted Gradio deployments allows retrieval of IAM role credentials, achieving high subsequent-system confidentiality impact. No public exploit or CISA KEV listing is identified at time of analysis; a fix is available in version 6.20.0.

SSRF Open Redirect
NVD GitHub VulDB
CVSS 6.1
MEDIUM This Month

Open redirect in Kiwi TCMS's account confirmation endpoint allows unauthenticated remote attackers to craft URLs hosted on a legitimate organizational Kiwi TCMS instance that silently redirect victims to arbitrary external domains. All deployments running versions prior to v16.1 are affected, with no authentication required from the attacker - only a victim click. The primary threat is high-trust phishing: because the malicious link originates from the organization's own hostname, it bypasses email security filters and link-reputation checks, enabling convincing credential-harvesting or malware delivery campaigns targeting engineering and QA staff. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Open Redirect
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Traffic hijacking in Cilium's CiliumLocalRedirectPolicy (CLRP) mechanism allows a cluster user with RBAC permission to create CLRPs to specify arbitrary ClusterIPs via the addressMatcher field, redirecting service traffic across namespace boundaries and circumventing the namespace-scoping guarantees that serviceMatcher is designed to enforce. Affected versions span Cilium v1.17 (all prior to v1.17.16), v1.18.2-v1.18.9, and v1.19.0-v1.19.3. A compounding secondary behavior causes complete service translation failure when a maliciously crafted CLRP is deleted, enabling a denial-of-service condition against any targeted Service. No public exploit has been identified at time of analysis, and exploitation is constrained to users holding elevated cluster RBAC privileges; this is not confirmed actively exploited (CISA KEV).

Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Open redirect in kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows remote attackers to manipulate the href argument of the setReferrer() function in the Trusted Backend Interface, redirecting users to arbitrary attacker-controlled URLs. A publicly available proof-of-concept exploit exists (CVSS 4.0 E:P), lowering the exploitation barrier for phishing and credential harvesting campaigns. This vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

Open Redirect PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft 365 Copilot arises from an open redirect (CWE-601) that lets an unauthenticated remote attacker craft a Copilot-hosted URL that forwards a victim to an attacker-controlled site. Per the CVSS vector this requires the victim to interact (UI:R) with the malicious link and results in a scope change with high confidentiality and integrity impact, consistent with token/credential capture enabling elevated access. There is no public exploit identified at time of analysis (Exploit Maturity: Unproven), and it is not listed in CISA KEV; Microsoft rates it 9.3 and reports an official fix is available.

Open Redirect Microsoft 365 Copilot
NVD VulDB
MEDIUM POC PATCH This Month

{}` that carries no `CheckRedirect` policy. Because Go's `net/http` strips only the standard `Authorization`, `Cookie`, and `WWW-Authenticate` headers on cross-host redirects - not arbitrary custom headers - any 30x redirect issued by the configured `HubURI` causes both keys to be forwarded verbatim to the redirect destination. A proof-of-concept confirming the leak has been provided by the reporter; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Information Disclosure
NVD GitHub
LOW PATCH Monitor

Open redirect in Concourse's web login flow allows a remote unauthenticated attacker to craft a URL that silently redirects an authenticated user to an arbitrary external site upon completing the login process. Concourse versions prior to 8.2.3 are affected via the `/sky/login` endpoint's `redirect_uri` parameter. While no credentials are leaked server-side, the post-login redirect to an attacker-controlled site creates a high-fidelity phishing vector targeting CI/CD operators and developers - users who typically hold sensitive pipeline secrets and source-code access. No public exploit identified at time of analysis, though the advisory provides a fully working proof-of-concept URL.

Open Redirect
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Open redirect exploitation in the Wikimedia Foundation MediaWiki UrlShortener Extension enables unauthenticated network attackers to craft shortened URLs hosted on trusted MediaWiki domains that silently redirect victims to arbitrary external sites, facilitating phishing and Cross-Site Flashing attacks. All versions of the extension prior to 1.43.9, 1.44.6, and 1.45.4 across their respective branches are affected. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the unauthenticated and network-accessible nature of URL shortener services makes social-engineering abuse low-effort once a target instance is identified.

Open Redirect Mediawiki Urlshortener Extension
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Open redirect in Invoice Ninja's client portal login (through version 5.13.26) enables unauthenticated attackers to craft login URLs that transparently redirect authenticated victims to attacker-controlled external sites after they complete a legitimate login. The vulnerability stems from the `intended` query parameter being stored in the session without host validation, then emitted verbatim by the `ContactLoginController::authenticated()` handler post-login, making it a reliable phishing vector against Invoice Ninja clients. A publicly available proof-of-concept exists; no CISA KEV listing is present at time of analysis.

Open Redirect Invoiceninja
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Open redirect in the TP-Link Archer AX20 V2 embedded web server allows unauthenticated attackers to craft URLs containing URL-encoded path traversal sequences that cause the device to issue HTTP 3xx redirects toward attacker-controlled external domains. All firmware versions through 2.1.9 Build 20230829 on the V2.0 hardware revision are confirmed affected per TP-Link's own advisory and CPE data. No public exploit identified at time of analysis, and a vendor-released patch is available; active exploitation has not been confirmed by CISA KEV.

Path Traversal Open Redirect Archer Ax20 V2 0
NVD
CVSS 4.7
MEDIUM PATCH This Month

Open redirect in Probo's saferedirect package allows unauthenticated remote attackers to bypass same-origin URL validation across all authentication flows - OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. A crafted URL such as /../\evil.com passes the flawed second-character check, and Go's http.Redirect normalizer collapses it to /\evil.com before setting the Location header; browsers then interpret the backslash as a host separator and navigate victims to an attacker-controlled domain. No public exploit is identified at time of analysis and the CVE carries no CISA KEV listing, but the authentication-flow context makes this a credible, high-value phishing vector. Self-hosted deployments must upgrade to probod v0.194.1.

Open Redirect
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.

Open Redirect Mailerup
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the `IsSameSite()` function: the path `/a/../\example.com` passes server-side inspection but resolves to `//example.com` after browsers normalize backslashes to forward slashes. A publicly available proof-of-concept with screenshots exists; this vulnerability is not in CISA KEV and active exploitation has not been confirmed at time of analysis.

Open Redirect Path Traversal
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.

Open Redirect Redis Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Open redirect in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 allows remote unauthenticated attackers to redirect victims to arbitrary external hosts by supplying protocol-relative paths such as `//evil.com` to the `reloadNuxtApp` composable. The function's only security gate checks whether the resolved URL's scheme is a script protocol; protocol-relative paths inherit the page's own scheme (`https:`), pass that check, and are then written directly to `window.location.href`. The practical consequence is phishing and OAuth authorization-code theft on any application that forwards user-controlled input into `reloadNuxtApp`. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the GHSA advisory notes this is part of a broader cluster of three URL-handling weaknesses in Nuxt's navigation APIs.

Open Redirect Nuxt
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side open redirect in Nuxt's `navigateTo` composable allows unauthenticated network attackers to bypass external-host checks by submitting path-normalized payloads such as `/..//evil.com` or `/.//evil.com`, which WHATWG URL parsing resolves to the protocol-relative URL `//evil.com`. Affected versions are Nuxt 4.0.0-4.4.6 and all 3.x releases before 3.21.7. Because Nuxt documentation presents `navigateTo` as the safe, built-in mechanism for post-login redirects, applications commonly pass unvalidated user-supplied redirect parameters directly to it - making OAuth authorization-code theft and phishing the principal real-world risks. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV.

Open Redirect Nuxt
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Unvalidated redirect in Venueless social login allows phishing attacks by abusing the trusted domain reputation of legitimate event platform instances. Any Venueless deployment with social login enabled is affected across all tracked versions (CPE wildcard), and an attacker can craft a social login URL embedding an arbitrary external redirect destination that executes silently after a victim completes OAuth authentication. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and authentication-flow context make this a credible phishing vector against event attendees and organizers.

Open Redirect Venueless
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Open redirect in LemonLDAP::NG versions up to and including 2.23.0 allows unauthenticated remote attackers to manipulate the `url` argument within the SAML Common Domain Cookie (CDC) endpoint, causing authenticated SSO users to be silently forwarded to arbitrary attacker-controlled domains. The SSO context makes this particularly high-consequence for phishing: victims trust the identity provider's domain, lowering suspicion of the crafted redirect URL. Publicly available exploit code exists (CVSS 4.0 E:P); no vendor patch has been confirmed, as the vendor was unresponsive to responsible disclosure by VulDB.

Open Redirect Lemonldap Ng
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirect in Capgo's confirm-signup endpoint (all versions before 12.128.2) enables unauthenticated remote attackers to craft account confirmation links that silently redirect victims to arbitrary attacker-controlled websites. The unvalidated `confirmation_url` parameter in the confirm-signup flow accepts any external URL without domain allowlisting or sanitization, making legitimate Capgo-sending domains a trusted launchpad for phishing and credential harvesting. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering amplification risk is significant given the trusted-email-domain context.

Open Redirect Capgo
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Open redirect in Capgo's Stripe billing endpoints (stripe_portal and stripe_checkout) allows authenticated attackers to manipulate the callbackUrl, successUrl, and cancelUrl parameters to silently redirect users to attacker-controlled phishing domains after billing interactions. All Capgo releases before 12.128.2 are affected per vendor advisory GHSA-grc7-98pf-h8hq. Exploitation requires a valid Capgo account (CVSS PR:L) and victim interaction (UI:A), and no public exploit or CISA KEV listing exists at time of analysis; however, the Stripe payment context lends phishing lures unusual credibility, elevating realistic social-engineering risk above what the medium CVSS score alone implies.

Open Redirect Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-601) to coerce a victim into following a crafted link that lands on an attacker-controlled site. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation lets an unauthorized remote attacker elevate privileges over the network after user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Open Redirect 365 Copilot
NVD VulDB
MEDIUM PATCH This Month

Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.

Microsoft Apple CSRF +3
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Open redirect in Microchip's GridTime 3000 GNSS Time Server allows authenticated low-privilege users to manipulate the post-submission redirect destination of the password change form, enabling phishing and credential harvesting attacks against administrators. All firmware versions from 1.0r0.03 through 1.1r0.0 are confirmed affected per vendor self-disclosure. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.

Open Redirect Gridtime 3000
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Open redirect in Apache APISIX 3.0.0 through 3.16.0 enables unauthenticated remote attackers to manipulate specific HTTP client headers, causing victim users to be redirected to attacker-controlled sites with potential session token leakage. Exploitation requires active user interaction and specific attack conditions (CVSS 4.0 AT:P, UI:A), yielding a vendor-assigned score of 2.1 (Low) - limiting realistic exposure to targeted phishing scenarios rather than opportunistic mass exploitation. No public exploit code or CISA KEV listing exists at time of analysis; the Apache Software Foundation has released a vendor-confirmed fix in version 3.17.0.

Apache Open Redirect Apache Apisix
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Open redirect in Apache APISIX's cas-auth plugin exposes users to phishing and credential theft when the plugin is used in its default configuration. Affected are all APISIX deployments running versions 3.0.0 through 3.16.0 with cas-auth enabled. An unauthenticated remote attacker can craft a malicious CAS authentication URL that redirects victims to an attacker-controlled site, enabling session hijacking or credential harvesting. No public exploit or KEV listing is recorded at time of analysis, and the CVSS 4.0 base score of 2.1 reflects the attacker's dependence on user interaction and the absence of direct system-level impact.

Apache Open Redirect Apache Apisix
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authentication flow as a phishing launchpad. Affected versions 6.0 through 9.15 pass the user-supplied 'next' query and form parameter directly to Flask's redirect response without verifying the target is same-origin, meaning a crafted URL such as /mfa/validate?next=https://attacker.example/fake-login silently forwards the victim from a trusted pgAdmin URL to an attacker-controlled site. No public exploit is identified at time of analysis and this CVE is not listed in CISA KEV; however, a reporter-supplied PoC was confirmed by the vendor and is documented in the upstream regression test suite.

Open Redirect Pgadmin 4
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM PATCH This Month

Open redirect in CakePHP Authentication's `getLoginRedirect()` method exposes users of affected applications to attacker-controlled redirects via backslash character bypass of hostname validation logic. Applications running `cakephp/authentication` below 3.3.6 (3.x branch) or between 4.0.0 and 4.1.1 (4.x branch) are vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis, though the backslash bypass technique is well-understood and lowers the bar for exploitation against unpatched deployments.

Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in Gitea's login flow allows external domain hijacking by bypassing the `urlIsRelative` validation in `modules/httplib/url.go` through a combination of directory traversal sequences and a backslash in the `redirect_to` parameter. All Gitea instances running version 1.25.4 and below are affected; a working proof-of-concept is publicly available in the GitHub Security Advisory. Exploitation enables phishing via trusted Gitea domains, OAuth/SSO authorization code theft, Referer-header leakage of sensitive parameters, and potential cache poisoning — no public exploit identified as confirmed actively exploited (CISA KEV absent).

Gitea Path Traversal Open Redirect
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to session fixation, open redirect, and cache poisoning. The `parseSetCookie`, `parseCookie`, and `getSetCookies` functions incorrectly percent-decode cookie values using `qsUnescape`, converting encoded sequences such as `%0D%0A` into literal CRLF bytes in violation of RFC 6265 §5.4, which prescribes no such decoding. Any application that fetches from an attacker-controlled upstream and forwards the parsed cookie value into a downstream response header is exploitable; no public exploit has been identified at time of analysis, and patched releases v6.26.0, v7.28.0, and v8.5.0 are available.

Open Redirect Undici Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Open redirect in the browser-based Cisco Webex App allowed unauthenticated remote attackers to redirect users to attacker-controlled websites by crafting malicious URLs with manipulated parameters. The vulnerability (CWE-601) stems from improper input validation of URL parameters in HTTP requests and scores CVSS 4.3 Medium (AV:N/AC:L/PR:N/UI:R). Cisco has fully remediated this server-side with no customer action required; no public exploit or CISA KEV listing exists at time of analysis.

Cisco Open Redirect Cisco Webex App
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Host Header Injection in Dell PowerFlex Rack RCM 3.7 enables unauthenticated remote attackers to trigger open redirects by supplying a forged HTTP Host header, potentially redirecting victim users to attacker-controlled sites for phishing or credential harvesting. The CVSS 4.3 Medium score reflects the requirement for user interaction (UI:R) and limited confidentiality impact, with no integrity or availability consequence. No public exploit code has been identified at time of analysis, and the vulnerability has no CISA KEV listing.

Dell Open Redirect Powerflex Rack
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to manipulate the X-Forwarded-Host HTTP header to redirect authenticated users to attacker-controlled sites immediately following login or interface interaction. The vulnerability is particularly hazardous in the context of a credential store application, where a convincing post-login redirect to a cloned phishing interface could yield an attacker's full access to a victim's stored password vault. No public exploit code has been identified at time of analysis, and a vendor-released patch is available per the INCIBE advisory.

Open Redirect Password Manager
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP header before using it to construct redirect URLs. Unauthenticated remote attackers can craft malicious links that, when clicked by a victim, silently redirect them to an attacker-controlled domain - a particularly dangerous vector given that the target application manages credentials. Reported by INCIBE, a vendor patch is available; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Open Redirect Password Manager
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Account takeover in Oracle iSupplier Portal (E-Business Suite versions 12.2.3-12.2.15) allows a low-privileged remote attacker to fully compromise the application by tricking a separate user into interacting with attacker-supplied content over HTTPS. The Home Page component is the entry point, and successful exploitation yields full confidentiality, integrity, and availability impact on the portal. No public exploit identified at time of analysis, but Oracle's critical patch advisory confirms the issue is real and patchable.

Oracle Oracle Isupplier Portal Open Redirect
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content +1
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Full takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 is achievable by remote unauthenticated attackers via the Console component over HTTPS, provided a victim performs an action such as clicking a malicious link. The flaw carries a CVSS 3.1 base score of 8.8 with high impact across confidentiality, integrity, and availability, but exploitation hinges on user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Cross-scope data compromise in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 allows a low-privileged remote attacker over HTTPS to read, create, modify, or delete critical data through the administration Console, provided a separate user is induced to perform an action. The CVSS 3.1 base score of 8.7 reflects high confidentiality and integrity impact with scope change reaching beyond WebLogic itself, and no public exploit identified at time of analysis.

Authentication Bypass Oracle Weblogic Server +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirect targets. Applications using DigestAuthMiddleware with the default follow_redirects behavior are affected in versions up to and including 3.14.0. When a server responds with a cross-origin redirect, the middleware incorrectly computes and sends a digest authentication response to the redirect destination, exposing the auth digest to the third-party domain. No public exploit has been identified at time of analysis, but exploitation is plausible wherever an open redirect exists on the origin server.

Information Disclosure Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. A vendor-released patch exists in version 2.2.0; no public exploit has been identified at time of analysis and the vulnerability is not in the CISA KEV catalog.

Open Redirect Nezha
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. A public proof-of-concept repository exists on GitHub; no confirmed active exploitation per CISA KEV at time of analysis.

Open Redirect Aqara Iam Sso Gateway
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks `next` parameter values containing `http://` or `https://` substrings but does not account for RFC-3986 userinfo@host syntax; submitting `next=@evil.example/path` causes the server to construct `https://victim.example@evil.example/path`, which modern browsers route to `evil.example`. No public exploit code has been identified at time of analysis, no patch is available, and this vulnerability is not listed in CISA KEV.

Nginx Open Redirect Apache
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows attacker-controlled servers to harvest Authorization and Proxy-Authorization headers by issuing cross-origin 3xx redirects. Because httpc_response:redirect/2 only updates the host field and copies all other headers verbatim - and autoredirect defaults to true - any httpc caller using HTTP Basic auth or URL userinfo silently forwards credentials to the redirect target. No public exploit identified at time of analysis, but the fix has been published upstream and tagged in vendor-released OTP patch versions.

Information Disclosure Open Redirect Otp +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Open redirect in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) enables unauthenticated remote attackers to craft login URLs with a malicious external domain in the 'from' parameter under the 'Delegate to servlet container' security realm, silently redirecting authenticated users to attacker-controlled sites post-login for phishing purposes. The CVSS vector (PR:N, UI:R) confirms no attacker authentication is needed, but victim interaction is mandatory - the user must click a crafted link and complete a login. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; vendor-released patches are available as of 2026-06-10.

Jenkins Open Redirect Red Hat
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Open redirect in Jenkins login flow enables phishing attacks by exploiting improper redirect URL validation. Tab or newline characters injected between `//` in a post-login redirect URL bypass Jenkins' legitimacy check, redirecting authenticated victims to attacker-controlled sites. Affects Jenkins weekly 2.567 and earlier and LTS 2.555.2 and earlier; vendor-released patches are available. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the bypass technique is trivially derivable from the public advisory.

Jenkins Open Redirect
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Open redirect exploitation in Jenkins allows unauthenticated network attackers to craft login URLs that bypass the post-authentication redirect validation and forward users to attacker-controlled external sites. Affected are Jenkins weekly releases through 2.567 and LTS releases through 2.555.2, where the redirect URL legitimacy check fails when the URL contains relative path segments such as `./` or `../`. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, placing this in a moderate-risk, phishing-enablement category rather than a direct system compromise class.

Jenkins Open Redirect Red Hat
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the S:C scope change and PR:N attack profile make this a meaningful phishing enabler in any Spring Security deployment using cookie-backed saved requests.

Open Redirect Java Spring Security
NVD HeroDevs VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` parameter, enabling unauthenticated remote attackers to craft authorization requests that bypass redirect URI validation entirely. Affected deployments running Spring Authorization Server 1.5.0-1.5.7 or Spring Security 7.0.0-7.0.5 can be exploited to redirect authenticated users to attacker-controlled destinations, a particularly elevated risk given that victims inherently trust the authorization server's domain during OAuth login flows. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Java Spring Authorization Server +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Open redirect in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) enables network-based attackers to craft malicious URLs that silently redirect victims to attacker-controlled sites, with Adobe's own advisory citing account takeover as the potential outcome. The attack requires no privileges or authentication on the attacker's side (PR:N per CVSS) but depends entirely on a victim clicking a crafted link (UI:R). No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the account takeover potential meaningfully exceeds what the moderate CVSS 4.3 score alone conveys.

Adobe Open Redirect
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Open redirect in SolarWinds Observability Self-Hosted enables an authenticated low-privilege attacker on an adjacent network segment to supply a crafted external URL that redirects application traffic or users to an attacker-controlled site. The CVSS vector assigns High confidentiality impact (C:H) despite a medium overall score of 4.8, suggesting the redirect may expose sensitive data - such as session tokens or credentials - to the attacker-controlled destination, rather than being a simple phishing-only vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. SolarWinds has released a patch in the HCO 2026.2 release.

Open Redirect
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Open redirect exploitation in TYPO3 CMS allows unauthenticated remote attackers to bypass the `GeneralUtility::sanitizeLocalUrl` locality check by crafting URLs containing backslash sequences, control characters, or slash-pattern variations that the prior implementation failed to reject, redirecting victims to arbitrary external sites for phishing. All major active TYPO3 branches are affected: versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the bypass patterns are explicitly documented in the upstream fix's own test suite, substantially lowering the bar to reproduction.

Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in Spring Framework (Spring MVC and Spring WebFlux) across four major version branches enables unauthenticated remote attackers to craft URLs that cause the application to issue a 302 HTTP redirect to an arbitrary attacker-controlled external host. The vulnerability is conditionally exploitable - requiring a catch-all wildcard route mapping without an explicit view name - and demands user interaction to trigger. CVSS rates this 4.2 Medium (AV:N/AC:H/PR:N/UI:R); no public exploit code or CISA KEV listing has been identified at time of analysis.

Open Redirect Java Spring Framework
NVD HeroDevs VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Unauthenticated open redirect in Authlib's OAuth 2.0 authorization endpoint allows any remote attacker to weaponize a trusted authorization server domain as a redirector - no client registration, no authenticated session, and no prior state required. The flaw affects all deployments of pip/authlib < 1.6.10 and == 1.7.0 running an authorization endpoint via the Flask or Django integrations. Publicly available exploit code exists and was dynamically confirmed against the live HEAD (v1.6.6-104-g68e6ab3f); no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV status absent), but the trivial, zero-prerequisite exploit path makes phishing and domain-allowlist bypass practical at scale.

Python Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW POC Monitor

Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth `state` parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. Publicly available exploit code exists, but no KEV listing indicates active exploitation campaigns at time of analysis.

Open Redirect Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated attackers to redirect victims to attacker-controlled URLs by supplying a crafted redirect_uri during OAuth2 authorization flows. The root cause is a naive prefix-based string comparison using startsWith() in OAuth2Client.java, which trivially allows bypass via domain-prefix spoofing (e.g., registering https://app.example.com.attacker.com when the legitimate URI is https://app.example.com). Publicly available exploit code exists per GitHub issue #354 and CVSS E:P; no public exploit identified at time of analysis in CISA KEV, and the CVSS 4.0 score of 2.1 reflects the limited impact and required user interaction.

Open Redirect Java
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirect in NocoDB's client-side hashRedirect plugin allows any attacker to silently send visitors from a legitimate NocoDB origin to an attacker-controlled domain by embedding a protocol-relative path in the URL hash fragment. All NocoDB npm releases prior to 2026.04.1 are affected; the flaw exists in `packages/nc-gui/plugins/hashRedirect.client.ts` where a single `startsWith('/')` check fails to exclude `//attacker.com/...` paths, which browsers resolve as absolute URLs. No public exploit has been identified at time of analysis, but the technique requires zero tooling and no authentication, making phishing campaigns against NocoDB users trivially constructable.

Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attackers to manipulate HTTP Host headers, causing the application to generate attacker-controlled redirect URLs targeting victims - a classic open redirect primitive (CWE-601) confirmed by the Open Redirect tag. The CVSS 6.1 score reflects Changed scope (S:C), meaning impact crosses beyond the vulnerable component, with low confidentiality and integrity impact consistent with phishing and session-hijacking abuse. No public exploit code or CISA KEV listing has been identified at time of analysis.

Open Redirect
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.

Python Open Redirect
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.

Python Open Redirect Google +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirect in MISP versions up to and including 2.5.38 allows unauthenticated remote attackers to craft links that silently redirect victims to attacker-controlled external URLs immediately after successful authentication. The vulnerability resides in UsersController::routeafterlogin(), where the pre_login_requested_url session value was reflected into a Location header without enforcing local-path constraints. SSVC signals exploitation as 'none' and no CISA KEV listing exists, but the automatable designation and the high-trust context of a threat intelligence platform make this a meaningful phishing amplifier against security teams who would not expect a trusted MISP login to forward them off-site.

Open Redirect Misp
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). No public exploit exists and CISA SSVC rates exploitation as none; risk is substantially constrained by the PR:H requirement and the need for a victim to interact with the planted button.

Open Redirect Misp
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Open redirect vulnerability in FOSSBilling's Redirect module (prior to version 0.8.0) allows authenticated administrators to configure arbitrary external URLs as redirect targets without URL scheme validation. Users following a legitimate FOSSBilling link are silently issued a 301 Moved Permanently response to an attacker-controlled phishing site; because 301 responses are persistently cached by browsers, the redirect continues to function even after server-side correction until client caches expire. No public exploit identified at time of analysis; version 0.8.0 (released 2026-05-28) patches the issue.

Open Redirect
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Open redirect in authentik's WS-Federation provider (all versions prior to 2026.2.3) allows an unauthenticated attacker to exfiltrate signed authentication assertions to attacker-controlled infrastructure by exploiting a prefix-only wreply URL validation check. Because the POST-based WS-Federation flow delivers a cryptographically signed identity assertion to whatever destination wreply specifies, successful exploitation leaks credential-bearing tokens rather than simply redirecting to a phishing page - elevating impact beyond a typical open redirect. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM POC PATCH This Month

Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with `//`, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to `redirect()` without validating the path prefix. No public exploit identified at time of analysis - CVSS 4.0 supplemental metric E:U (Unreported) confirms no known active exploitation - but the technique is trivially constructible from the advisory description alone, and patched releases 7.14.1 and 6.30.4 are available.

Open Redirect Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Open redirect in Nextcloud's user_oidc plugin (versions 6.1.0 through 8.2.1) allows attackers to craft OIDC login links that silently redirect victims to arbitrary external websites upon successful authentication. The root cause is insufficient redirect URL sanitization in LoginController.php - a single regex stripping the protocol and domain could be bypassed using protocol-relative URLs (e.g., //attacker.com), which browsers resolve as full external URLs. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; however, the phishing potential via trusted login flows warrants prompt patching in user-facing Nextcloud deployments.

Open Redirect Nextcloud
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Arbitrary file read in Apache Airflow's FileTaskHandler allows authenticated users to read files outside the designated log directory by placing symlinks within the log folder tree. Versions prior to 3.2.2 are affected. Because FileTaskHandler._read_from_local() resolved glob matches without first verifying that a symlink's real path stays within the configured base log folder, a low-privileged Airflow user could exfiltrate sensitive server-side files - credentials, keys, or configuration - by directing log reads through a crafted symlink. No public exploit code exists and the vulnerability is not in CISA KEV, though the CVSS C:H rating reflects genuine confidentiality risk.

Open Redirect Apache
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the `/ui/structure/structure_data` endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the `ReadableDagsFilterDep` authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Open redirect bypass in Apache Airflow 3.0.0 through 3.2.1 allows remote unauthenticated attackers to craft URLs that evade the `is_safe_url` host check by using triple-slash (`///`), backslash, or URL-encoded backslash prefixes, redirecting victims to attacker-controlled domains. The flaw stems from a parsing inconsistency between WHATWG URL semantics and Python's urllib. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at only 0.01% (4th percentile).

Open Redirect Apache
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Open redirect in JetBrains TeamCity's SAML authentication plugin (all versions before 2026.1) allows a remote unauthenticated attacker to redirect authenticated users to arbitrary external URLs during the SAML login flow. The vulnerability carries a CVSS 3.1 score of 3.1 (Low), reflecting high attack complexity and mandatory user interaction - limiting realistic exploitation to targeted phishing scenarios against TeamCity users leveraging SAML SSO. No public exploit code exists and no active exploitation has been confirmed.

Open Redirect
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect in Speakr's post-login redirect handler allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled hosts via scheme-relative URLs such as '////evil.com'. The flaw stems from a logic split between the validation function - which normalizes the redirect target using urljoin() before checking safety - and the controller, which passes the raw, un-normalized target to redirect(), emitting it verbatim in the HTTP Location header. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and phishing utility make this a credible risk for self-hosted deployments.

Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.

Information Disclosure File Upload Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Open redirect in DFIR-IRIS before version 2.4.28 allows unauthenticated remote attackers to craft URLs that silently redirect authenticated users to arbitrary external domains. The CVSS Scope:Changed (S:C) component confirms the vulnerability crosses the application's trust boundary, making it a viable vector for phishing and credential harvesting campaigns targeting incident responders and forensic analysts who use the platform. No public exploit code or active exploitation has been identified at time of analysis, and no CISA KEV listing is present.

File Upload Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure File Upload Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open redirect in WeGIA before version 3.7.3 enables authenticated attackers to weaponize the trusted WeGIA domain for phishing, credential harvesting, and malware distribution by manipulating the unvalidated `nextPage` parameter at the `/WeGIA/controle/control.php` endpoint. Affected deployments include any WeGIA instance running versions prior to 3.7.3 where the control endpoint is accessible to low-privileged authenticated users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering abuse potential against users who trust the institution's domain is the primary real-world risk.

Open Redirect PHP
NVD GitHub
Page 1 of 17 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy