VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 7 of 42
  • CVE-2026-3872HigApr 2, 2026
    risk 0.40cvss 7.3epss 0.00

    A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting…

  • CVE-2026-20994MedMar 16, 2026
    risk 0.40cvss 6.1epss 0.00

    URL redirection in Samsung Account prior to version 15.5.01.1 allows local attackers to potentially get access token.

  • CVE-2025-70032MedMar 9, 2026
    risk 0.40cvss 6.1epss 0.00

    An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

  • CVE-2026-25477MedMar 2, 2026
    risk 0.40cvss 6.1epss 0.00

    AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression…

  • CVE-2026-1296MedFeb 18, 2026
    risk 0.40cvss 6.1epss 0.00

    The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for…

  • CVE-2025-55060MedDec 29, 2025
    risk 0.40cvss 6.1epss 0.00

    CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

  • CVE-2025-13819MedDec 1, 2025
    risk 0.40cvss 6.1epss 0.00

    Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks.

  • CVE-2025-42924MedNov 11, 2025
    risk 0.40cvss 6.1epss 0.00

    SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker. This has low impact on confidentiality and integrity of the application with no impact on…

  • CVE-2025-12789MedNov 7, 2025
    risk 0.40cvss 6.1epss 0.00

    A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL.

  • CVE-2025-50736MedOct 30, 2025
    risk 0.40cvss 6.1epss 0.00

    An open redirect vulnerability exists in Byaidu PDFMathTranslate v1.9.9 that allows attackers to craft URLs that cause the application to redirect users to arbitrary external websites via the file parameter to the /gradio_api endpoint. This vulnerability could be exploited for…

  • CVE-2025-55032MedAug 19, 2025
    risk 0.40cvss 6.1epss 0.00

    Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142.

  • CVE-2025-42985MedJul 8, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. This could potentially lead to the exposure or modification of web client data, resulting in low impact…

  • CVE-2025-42981MedJul 8, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. When a victim clicks on this link, the script executes within the victim's…

  • CVE-2025-23183MedMay 22, 2025
    risk 0.40cvss 6.1epss 0.00

    CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

  • CVE-2024-12561MedMay 21, 2025
    risk 0.40cvss 6.1epss 0.00

    The Affiliate Sales in Google Analytics and other tools plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.0.0. This is due to insufficient validation on the redirect url supplied via the 'afflink' parameter. This makes it possible for…

  • CVE-2025-3859MedApr 30, 2025
    risk 0.40cvss 6.1epss 0.00

    Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage. This vulnerability was fixed in Focus 138.

  • CVE-2025-3433MedApr 8, 2025
    risk 0.40cvss 6.1epss 0.00

    The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to…

  • CVE-2025-23086MedJan 21, 2025
    risk 0.40cvss 6.1epss 0.00

    On most desktop platforms, Brave Browser versions 1.70.x-1.73.x included a feature to show a site's origin on the OS-provided file selector dialog when a site prompts the user to upload or download a file. However the origin was not correctly inferred in some cases. When…

  • CVE-2024-46326MedOct 21, 2024
    risk 0.40cvss 6.1epss 0.00

    Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function.

  • CVE-2024-45247MedOct 6, 2024
    risk 0.40cvss 6.1epss 0.00

    Sonarr – CWE-601: URL Redirection to Untrusted Site ('Open Redirect')