Medium severity4.7NVD Advisory· Published Feb 5, 2026· Updated Apr 15, 2026

CVE-2026-25198

Description

web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
web2pyPyPI	< 3.1.1	3.1.1

Affected products

Web2py/Web2pyreferences

Patches

b4e1ddbd6d40

Block open redirect vulnerability JVN#46925341

https://github.com/web2py/web2pyMassimo Di PierroNov 28, 2025via ghsa

commit

2 files changed · +10 −3

gluon/tests/test_tools.py+1 −0 modified

@@ -1707,3 +1707,4 @@ def test_open_redirect(self):
                 self.assertEqual(prevent_open_redirect(url, "test.com"), url)
         # extra corner cases
         self.assertEqual(prevent_open_redirect("https:/example.com"), None)
+        self.assertEqual(prevent_open_redirect("/%09/www.example.org/"), None)

gluon/tools.py+9 −3 modified

@@ -130,8 +130,12 @@ def replace_id(url, form):
 def prevent_open_redirect(url, host=None):
     # Prevent an attacker from adding an arbitrary url after the
     # _next variable in the request.
-    host = host or current.request.env.http_host
-    default_scheme = "https" if current.request.is_https else "http"
+    if hasattr(current, "request"):
+        host = host or current.request.env.http_host
+        default_scheme = "https" if current.request.is_https else "http"
+    else:
+        host = "localhost"
+        default_scheme = "http"
     original = url
 
     if url is not None:
@@ -146,8 +150,10 @@ def prevent_open_redirect(url, host=None):
 
     if url.startswith("//"):
         url = default_scheme + ":" + url
-    if url.startswith("://"):
+    elif url.startswith("://"):
         url = default_scheme + url
+    elif url.startswith("/") and not url.split("/")[1].isalnum():
+        return None
 
     try:
         parsed = urlparse.urlparse(url)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rf8c-3f5p-xv45ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-25198ghsaADVISORY
github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6dfnvdWEB
jvn.jp/en/jp/JVN46925341ghsaWEB
web2py.comghsaWEB
jvn.jp/en/jp/JVN46925341/nvd
web2py.comnvd

News mentions

No linked articles in our index yet.

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000