CWE-601— URL Redirection to Untrusted Site (Open Redirect)
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.— MITRE CWE catalog
1,432 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-601page 28 of 29
- CVE-2026-41126MEDIUMCVSS 4.3EG 4.32026-04-22
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so…
- CVE-2026-41226MEDIUMCVSS 4.7EG 6.12026-04-30
Open redirect vulnerability exists in Multiple laser printers and MFPs which implement Ricoh Web Image Monitor. When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a …
- CVE-2026-41479MEDIUMCVSS 5.4EG 5.42026-06-08
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported respons…
- CVE-2026-41513MEDIUMCVSS 4.8EG 4.82026-05-12
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-e…
- CVE-2026-41569MEDIUMCVSS 6.1EG 6.12026-06-02
authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a l…
- CVE-2026-41670HIGHCVSS 8.2EG 8.22026-05-07
Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination…
- CVE-2026-41706MEDIUMCVSS 6.1EG 6.12026-06-10
Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected version…
- CVE-2026-41844MEDIUMCVSS 6.1EG 4.22026-06-09
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: …
- CVE-2026-42195LOWCVSS 3.4EG 3.42026-05-08
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the use…
- CVE-2026-42207MEDIUMCVSS 6.1EG 6.12026-05-15
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, Mage_ProductAlert_AddCon…
- CVE-2026-42230MEDIUMCVSS 6.1EG 6.12026-05-04
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be r…
- CVE-2026-42259MEDIUMCVSS 5.1EG 5.12026-05-07
Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WH…
- CVE-2026-42350MEDIUMCVSS 5.1EG 5.12026-05-08
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patche…
- CVE-2026-42525MEDIUMCVSS 4.3EG 4.32026-04-29
Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
- CVE-2026-42565MEDIUMCVSS 4.3EG 4.32026-05-11
@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived…
- CVE-2026-43576HIGHCVSS 7.7EG 7.72026-05-06
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not proper…
- CVE-2026-43924MEDIUMCVSS 4.8EG 4.82026-06-03
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This al…
- CVE-2026-43941CRITICALCVSS 9.6EG 8.82026-05-08
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any…
- CVE-2026-44372MEDIUMCVSS 6.1EG 6.12026-05-13
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is …
- CVE-2026-44427NONECVSS 0.0EG 0.02026-05-14
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft…
- CVE-2026-44437MEDIUMCVSS 6.1EG 6.12026-05-13
The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR…
- CVE-2026-44503HIGHCVSS 7.0EG 7.02026-05-14
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Onl…
- CVE-2026-44520MEDIUMCVSS 5.7EG 5.72026-05-14
Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP reques…
- CVE-2026-44598MEDIUMCVSS 5.4EG 5.42026-05-25
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when…
- CVE-2026-44681MEDIUMCVSS 6.1EG 6.12026-05-27
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cau…
- CVE-2026-44833MEDIUMCVSS 5.9EG 5.92026-05-26
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulner…
- CVE-2026-44889MEDIUMCVSS 6.1EG 6.12026-06-04
WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's u…
- CVE-2026-44915MEDIUMCVSS 6.1EG 6.12026-06-19
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 throu…
- CVE-2026-45037HIGHCVSS 7.1EG 7.12026-05-15
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This all…
- CVE-2026-45055HIGHCVSS 8.1EG 8.12026-05-13
CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email link…
- CVE-2026-45278MEDIUMCVSS 6.1EG 6.12026-06-01
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OI…
- CVE-2026-45307MEDIUMCVSS 6.1EG 6.12026-05-28
Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljoin(request.host_url, target) before par…
- CVE-2026-45335MEDIUMCVSS 5.4EG 5.42026-05-27
WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combin…
- CVE-2026-45448MEDIUMCVSS 4.3EG 4.32026-05-14
CWE-601 URL redirection to untrusted site ('open redirect')
- CVE-2026-45566MEDIUMCVSS 6.1EG 6.12026-06-10
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs http…
- CVE-2026-46616MEDIUMCVSS 6.1EG 6.12026-05-21
Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from …
- CVE-2026-46796HIGHCVSS 8.0EG 8.02026-06-17
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged atta…
- CVE-2026-46806HIGHCVSS 8.2EG 8.22026-06-17
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with ne…
- CVE-2026-46894HIGHCVSS 8.0EG 8.02026-06-17
Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network …
- CVE-2026-46955HIGHCVSS 7.5EG 7.52026-06-17
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network a…
- CVE-2026-47070MEDIUMCVSS 6.1EG 6.12026-05-25
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any…
- CVE-2026-47347MEDIUMCVSS 5.3EG 5.32026-06-09
Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users…
- CVE-2026-47377MEDIUMCVSS 5.1EG 5.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/')…
- CVE-2026-47645HIGHCVSS 8.8EG 8.82026-06-19
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-4799MEDIUMCVSS 4.3EG 4.32026-03-31
In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL.
- CVE-2026-47991MEDIUMCVSS 6.1EG 4.32026-06-09
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Redirect (Open Redirect) vulnerability that could lead to account takeover. An attacker could construct a malicious URL that redirects a vic…
- CVE-2026-48589MEDIUMCVSS 5.4EG 5.42026-05-25
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the r…
- CVE-2026-48832LOWCVSS 3.5EG 3.52026-05-24
action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability.
- CVE-2026-48856MEDIUMCVSS 6.5EG 6.52026-06-10
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without che…
- CVE-2026-48895HIGHCVSS 7.2EG 7.22026-06-19
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX:…
Map vulnerabilities like CWE-601 to your infrastructure
EchelonGraph correlates every CVE — across CWE-601 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →