Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-45408

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-04 Feb, 2022 | 19:43
Updated At-04 Aug, 2024 | 04:39
Rejected At-
Credits

Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:04 Feb, 2022 | 19:43
Updated At:04 Aug, 2024 | 04:39
Rejected At:
â–¼CVE Numbering Authority (CNA)

Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://sunil-singh.notion.site/SeedDMS-6-0-15-Open-Redirect-85be8b681b2947a2a75e7416cb56670c
x_refsource_MISC
Hyperlink: https://sunil-singh.notion.site/SeedDMS-6-0-15-Open-Redirect-85be8b681b2947a2a75e7416cb56670c
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://sunil-singh.notion.site/SeedDMS-6-0-15-Open-Redirect-85be8b681b2947a2a75e7416cb56670c
x_refsource_MISC
x_transferred
Hyperlink: https://sunil-singh.notion.site/SeedDMS-6-0-15-Open-Redirect-85be8b681b2947a2a75e7416cb56670c
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:04 Feb, 2022 | 20:15
Updated At:09 Feb, 2022 | 02:20

Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary2.05.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 5.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N
CPE Matches

seeddms
seeddms
>>seeddms>>6.0.15
cpe:2.3:a:seeddms:seeddms:6.0.15:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-601Primarynvd@nist.gov
CWE ID: CWE-601
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://sunil-singh.notion.site/SeedDMS-6-0-15-Open-Redirect-85be8b681b2947a2a75e7416cb56670ccve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://sunil-singh.notion.site/SeedDMS-6-0-15-Open-Redirect-85be8b681b2947a2a75e7416cb56670c
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1020Records found

CVE-2021-39425
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.50% / 39.22%
||
7 Day CHG~0.00%
Published-20 Jul, 2023 | 00:00
Updated-24 Oct, 2024 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SeedDMS v6.0.15 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-28726
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.64% / 46.28%
||
7 Day CHG~0.00%
Published-24 Nov, 2020 | 16:45
Updated-04 Aug, 2024 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open redirect in SeedDMS 6.0.13 via the dropfolderfileform1 parameter to out/out.AddDocument.php.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-28727
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.91% / 55.62%
||
7 Day CHG~0.00%
Published-07 Dec, 2020 | 07:53
Updated-05 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) exists in SeedDMS 6.0.13 via the folderid parameter to views/bootstrap/class.DropFolderChooser.php.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39421
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 34.75%
||
7 Day CHG~0.00%
Published-24 Jul, 2023 | 00:00
Updated-24 Oct, 2024 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in SeedDMS v6.0.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-23048
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.71%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 19:20
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters.

Action-Not Available
Vendor-seeddmsn/a
Product-seeddmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-27736
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 4.29%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 16:27
Updated-05 Mar, 2026 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BigBlueButton has Open Redirect vulnerability in ApiController

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

Action-Not Available
Vendor-bigbluebuttonbigbluebutton
Product-bigbluebuttonbigbluebutton
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2014-2213
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.44% / 70.02%
||
7 Day CHG~0.00%
Published-22 Nov, 2019 | 18:39
Updated-06 Aug, 2024 | 10:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open redirect vulnerability in the password reset functionality in POSH 3.0 through 3.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to portal/scr_sendmd5.php.

Action-Not Available
Vendor-posh_projectn/a
Product-poshn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-27191
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.4||HIGH
EPSS-0.25% / 16.67%
||
7 Day CHG~0.00%
Published-21 Feb, 2026 | 03:23
Updated-25 Feb, 2026 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Feathers: Open Redirect in OAuth callback enables account takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them. The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter. This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://target.com@attacker.com#access_token=..., where the browser interprets attacker.com as the host, leading to full account takeover. This issue has been fixed in version 5.0.40.

Action-Not Available
Vendor-feathersjsfeathersjs
Product-feathersfeathers
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-25854
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 40.67%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 19:13
Updated-14 Apr, 2026 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: Occasionally open redirect

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-25149
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.7||LOW
EPSS-0.24% / 14.61%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 21:11
Updated-10 Feb, 2026 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qwik City Open Redirect via fixTrailingSlash

Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0.

Action-Not Available
Vendor-qwikQwikDev
Product-qwikqwik
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-25477
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.16% / 5.92%
||
7 Day CHG~0.00%
Published-02 Mar, 2026 | 19:14
Updated-10 Apr, 2026 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AFFiNE: Open Redirect via Regex Bypass in redirect-proxy

AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0.

Action-Not Available
Vendor-affinetoeverything
Product-affineAFFiNE
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2019-17151
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-4.3||MEDIUM
EPSS-1.37% / 68.69%
||
7 Day CHG~0.00%
Published-07 Jan, 2020 | 23:05
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers redirect users to an external resource on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker. The specific flaw exists within the parsing of a users profile. The issue lies in the failure to properly validate a users name. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9302.

Action-Not Available
Vendor-tencentTencent
Product-wechatWeChat
CWE ID-CWE-356
Product UI does not Warn User of Unsafe Actions
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2025-11222
Matching Score-4
Assigner-LY Corporation
ShareView Details
Matching Score-4
Assigner-LY Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 4.29%
||
7 Day CHG~0.00%
Published-04 Dec, 2025 | 12:18
Updated-19 Dec, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft.

Action-Not Available
Vendor-linecorpLINE Corporation
Product-central_dogmaCentral Dogma
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-43479
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.92% / 55.85%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 00:00
Updated-24 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open redirect vulnerability in SHIRASAGI v1.14.4 to v1.15.0 allows a remote unauthenticated attacker to redirect users to an arbitrary web site and conduct a phishing attack.

Action-Not Available
Vendor-ss-projSHIRASAGI Project
Product-shirasagiSHIRASAGI
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-22912
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 24.29%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 13:03
Updated-23 Jan, 2026 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users.

Action-Not Available
Vendor-SICK AG
Product-tdc-x401gltdc-x401gl_firmwareTDC-X401GL
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-23726
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 19:40
Updated-30 Jan, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=TipoEntradaControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Action-Not Available
Vendor-wegiaLabRedesCefetRJ
Product-wegiaWeGIA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-23727
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 7.78%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 19:41
Updated-30 Jan, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarTodos, nomeClasse=TipoSaidaControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Action-Not Available
Vendor-wegiaLabRedesCefetRJ
Product-wegiaWeGIA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-23729
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 19:47
Updated-30 Jan, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeGIA has an Open Redirect Vulnerability in control.php Endpoint via nextPage Parameter (metodo=listarDescricao, nomeClasse=ProdutoControle)

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

Action-Not Available
Vendor-wegiaLabRedesCefetRJ
Product-wegiaWeGIA
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2019-16393
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.10% / 61.64%
||
7 Day CHG~0.00%
Published-17 Sep, 2019 | 20:48
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

Action-Not Available
Vendor-spipn/aCanonical Ltd.Debian GNU/Linux
Product-ubuntu_linuxdebian_linuxspipn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-21826
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 4.04%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 05:58
Updated-10 Jun, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection

HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.

Action-Not Available
Vendor-HCLSoftwareHCL Technologies Ltd.
Product-digital_experiencedigital_experience_composeDigital Experience & DX Compose
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-21879
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.26% / 17.40%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 00:51
Updated-20 Jan, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kanboard vulnerable to Open Redirect via protocol-relative URLs

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.

Action-Not Available
Vendor-kanboardkanboard
Product-kanboardkanboard
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-22032
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.55%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 14:32
Updated-20 Jan, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directus has open redirect in SAML

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch.

Action-Not Available
Vendor-monospacedirectus
Product-directusdirectus
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-43985
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.1||MEDIUM
EPSS-1.49% / 71.03%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 00:00
Updated-02 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Airflow prior to 2.4.2 has an open redirect

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.

Action-Not Available
Vendor-The Apache Software Foundation
Product-airflowApache Airflow
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-4317
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5||MEDIUM
EPSS-0.54% / 41.52%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 00:00
Updated-28 Feb, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 1.47 before 3.0.51, which sends custom request headers in redirects.

Action-Not Available
Vendor-GitLab Inc.
Product-dynamic_application_security_testing_analyzerDAST
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-26215
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.4||MEDIUM
EPSS-1.21% / 64.81%
||
7 Day CHG~0.00%
Published-18 Nov, 2020 | 21:20
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open redirect in Jupyter Notebook

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.

Action-Not Available
Vendor-jupyterjupyterDebian GNU/Linux
Product-debian_linuxnotebooknotebook
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-26219
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.61% / 44.78%
||
7 Day CHG~0.00%
Published-11 Nov, 2020 | 22:05
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect in touchbase.ai

touchbase.ai before version 2.0 is vulnerable to Open Redirect. Impacts can be many, and vary from theft of information and credentials, to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The issue is fixed in version 2.0.

Action-Not Available
Vendor-touchbase.ai_projectpuncsky
Product-touchbase.aitouchbase.ai
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-44215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.75% / 50.58%
||
7 Day CHG~0.00%
Published-22 Aug, 2023 | 00:00
Updated-03 Oct, 2024 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is an open redirect vulnerability in Titan FTP server 19.0 and below. Users are redirected to any target URL.

Action-Not Available
Vendor-southrivertechn/a
Product-titan_ftp_servern/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2025-0970
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 31.91%
||
7 Day CHG+0.02%
Published-02 Feb, 2025 | 23:00
Updated-10 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zenvia Movidesk Login redirect

A vulnerability was found in Zenvia Movidesk up to 25.01.22. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /Account/Login. The manipulation of the argument ReturnUrl leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-zenviaZenvia
Product-movideskMovidesk
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-24598
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.16% / 63.21%
||
7 Day CHG~0.00%
Published-26 Aug, 2020 | 21:27
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Joomla! before 3.9.21. Lack of input validation in the vote feature of com_content leads to an open redirect.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2025-47854
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.11%
||
7 Day CHG+0.02%
Published-20 May, 2025 | 17:37
Updated-28 May, 2025 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2025.03.2 open redirect was possible on editing VCS Root page

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2025-0705
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.37% / 28.88%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 19:00
Updated-10 Oct, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JoeyBling bootplus QrCodeController.java qrCode redirect

A vulnerability has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this vulnerability is the function qrCode of the file src/main/java/io/github/controller/QrCodeController.java. The manipulation of the argument text leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

Action-Not Available
Vendor-joeyblingJoeyBling
Product-bootplusbootplus
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2013-2764
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.92% / 55.76%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 19:58
Updated-06 Aug, 2024 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Secure Entry Server before 4.7.0 contains a URI Redirection vulnerability which could allow remote attackers to conduct phishing attacks due to HSP_AbsoluteRedirects being disabled by default.

Action-Not Available
Vendor-united-security-providersn/a
Product-secure_entry_servern/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2013-2621
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-10.69% / 95.27%
||
7 Day CHG~0.00%
Published-03 Feb, 2020 | 14:15
Updated-06 Aug, 2024 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL.

Action-Not Available
Vendor-telaen_projectn/a
Product-telaenn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2017-2497
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.85% / 53.82%
||
7 Day CHG~0.00%
Published-22 May, 2017 | 04:54
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "iBooks" component. It allows remote attackers to trigger visits to arbitrary URLs via a crafted book.

Action-Not Available
Vendor-n/aApple Inc.
Product-iphone_osmac_os_xn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-21998
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.32% / 67.36%
||
7 Day CHG~0.00%
Published-27 Apr, 2021 | 17:46
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Action-Not Available
Vendor-homeautomation_projectn/a
Product-homeautomationn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8761
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.44% / 35.62%
||
7 Day CHG~0.00%
Published-17 Sep, 2024 | 08:30
Updated-08 Apr, 2026 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Share This Image <= 2.03 - Open Redirect via link Parameter

The Share This Image plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.03. This is due to insufficient validation on the redirect url supplied via the link parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Action-Not Available
Vendor-wp-unitmihail-barinovshare_this_image_project
Product-share_this_imageShare This Imageshare_this_image
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-1970
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.26% / 16.85%
||
7 Day CHG~0.00%
Published-05 Feb, 2026 | 22:02
Updated-23 Feb, 2026 | 09:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Edimax BR-6258n formStaDrvSetup redirect

A flaw has been found in Edimax BR-6258n up to 1.18. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup. This manipulation of the argument submit-url causes open redirect. The attack can be initiated remotely. The exploit has been published and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-Edimax Technology Company Ltd.
Product-br-6258n_firmwarebr-6258nBR-6258n
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8148
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
ShareView Details
Matching Score-4
Assigner-Environmental Systems Research Institute, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 21.31%
||
7 Day CHG~0.00%
Published-04 Oct, 2024 | 17:11
Updated-10 Apr, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BUG-000168624 - Unvalidated redirect in Portal for ArcGIS. (11.2, 11.1, 10.9.1. and 10.8.1)

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Action-Not Available
Vendor-Environmental Systems Research Institute, Inc. ("Esri")
Product-portal_for_arcgisPortal for ArcGIS
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8586
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 28.26%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 03:07
Updated-16 Sep, 2024 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uniong WebITR - Open Redirect

WebITR from Uniong has an Open Redirect vulnerability, which allows unauthorized remote attackers to exploit this vulnerability to forge URLs. Users, believing they are accessing a trusted domain, can be redirected to another page, potentially leading to phishing attacks.

Action-Not Available
Vendor-uniongUniong
Product-webitrWebITR
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2013-0594
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.25% / 65.78%
||
7 Day CHG~0.00%
Published-11 Jul, 2018 | 16:00
Updated-06 Aug, 2024 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open redirect vulnerability in IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. IBM X-Force ID: 83383.

Action-Not Available
Vendor-n/aIBM Corporation
Product-inotesn/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8646
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 28.38%
||
7 Day CHG~0.00%
Published-11 Sep, 2024 | 13:26
Updated-18 Sep, 2024 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eclipse Glassfish: URL redirection vulnerability to untrusted sites

In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/').

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-glassfishEclipse Glassfish
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-1723
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.00% / 58.55%
||
7 Day CHG~0.00%
Published-28 Jan, 2021 | 19:07
Updated-04 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Keycloak Gatekeeper (Louketo). The logout endpoint can be abused to redirect logged-in users to arbitrary web pages. Affected versions of Keycloak Gatekeeper (Louketo): 6.0.1, 7.0.0

Action-Not Available
Vendor-keycloak_gatekeeper_projectLouketoRed Hat, Inc.
Product-mobile_application_platformkeycloak_gatekeeperKeycloak Gatekeeper
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-41207
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 29.37%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 00:00
Updated-01 May, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL. When clicked by an unsuspecting victim, it will use an unsensitized parameter to redirect the victim to a malicious site of the attacker's choosing which can result in disclosure or modification of the victim's information.

Action-Not Available
Vendor-SAP SE
Product-biller_directSAP Biller Direct
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8386
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 28.63%
||
7 Day CHG~0.00%
Published-03 Sep, 2024 | 12:32
Updated-21 Nov, 2024 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-290
Authentication Bypass by Spoofing
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-40754
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.1||MEDIUM
EPSS-1.45% / 70.23%
||
7 Day CHG+0.04%
Published-21 Sep, 2022 | 07:25
Updated-27 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

Action-Not Available
Vendor-The Apache Software Foundation
Product-airflowApache Airflow
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8021
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.72% / 49.54%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:11
Updated-26 Mar, 2025 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect in gradio-app/gradio

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site.

Action-Not Available
Vendor-gradio_projectgradio-app
Product-gradiogradio-app/gradio
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2022-29214
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.61% / 44.95%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 23:45
Updated-23 Apr, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Redirection to Untrusted Site ('Open Redirect') in next-auth

NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one's `callbacks` option as a workaround for those unable to upgrade.

Action-Not Available
Vendor-nextauth.jsnextauthjs
Product-next-authnext-auth
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2020-15241
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.97% / 57.41%
||
7 Day CHG+0.01%
Published-08 Oct, 2020 | 20:15
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting in TYPO3 Fluid Engine

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

Action-Not Available
Vendor-TYPO3 Association
Product-typo3fluid_engineFluid
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15242
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.77% / 51.19%
||
7 Day CHG+0.01%
Published-08 Oct, 2020 | 19:50
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect in Next.js

Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4.

Action-Not Available
Vendor-vercelvercel
Product-next.jsnext.js
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-12049
Matching Score-4
Assigner-PostgreSQL
ShareView Details
Matching Score-4
Assigner-PostgreSQL
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.25%
||
7 Day CHG-0.04%
Published-18 Jun, 2026 | 23:37
Updated-29 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter

Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow. The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim. Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC. This issue affects pgAdmin 4: from 6.0 before 9.16.

Action-Not Available
Vendor-pgadminpgadmin.org
Product-pgadmin_4pgAdmin 4
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 20
  • 21
  • Next
Details not found