VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 19 of 42
  • CVE-2026-41569MedJun 2, 2026
    risk 0.33cvss 6.1epss 0.00

    authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a…

  • CVE-2026-40181MedJun 2, 2026
    risk 0.33cvss 6.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The…

  • CVE-2026-44681MedMay 27, 2026
    risk 0.33cvss 6.1epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an…

  • CVE-2026-47070MedMay 25, 2026
    risk 0.33cvss 6.1epss 0.00

    Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client…

  • CVE-2026-40295MedMay 22, 2026
    risk 0.33cvss 6.1epss 0.00

    Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without…

  • CVE-2026-9245MedMay 22, 2026
    risk 0.33cvss 5.0epss 0.00

    Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through…

  • CVE-2025-65954MedMay 18, 2026
    risk 0.33cvss 6.1epss 0.00

    SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on…

  • CVE-2026-42207MedMay 15, 2026
    risk 0.33cvss 6.1epss 0.00

    Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() reads the uenc…

  • CVE-2026-44437MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism…

  • CVE-2026-44372MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

  • CVE-2026-42259MedMay 7, 2026
    risk 0.33cvss epss 0.00

    Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise…

  • CVE-2025-61669MedMay 5, 2026
    risk 0.33cvss 6.1epss 0.00

    Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values…

  • CVE-2026-40255MedApr 16, 2026
    risk 0.33cvss 6.1epss 0.00

    AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header…

  • CVE-2026-25854MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.01

    Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through…

  • CVE-2026-35475MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This vulnerability is fixed in 3.6.9.

  • CVE-2026-35474MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirect has been found in WeGIA webapp. The redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This…

  • CVE-2026-35473MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and…

  • CVE-2026-35410MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing…

  • CVE-2026-35472MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and…

  • CVE-2026-35398MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos &…