Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2306 vulnerabilities reference this CWE, most recent first.

GHSA-CWX8-767M-CWMV

Vulnerability from github – Published: 2022-05-14 03:23 – Updated: 2022-05-14 03:23
VLAI
Details

Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-13T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link.",
  "id": "GHSA-cwx8-767m-cwmv",
  "modified": "2022-05-14T03:23:51Z",
  "published": "2022-05-14T03:23:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0364"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T122209"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2017-0364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXJ8-GGF2-P57C

Vulnerability from github – Published: 2026-04-03 21:43 – Updated: 2026-04-03 21:43
VLAI
Summary
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Details

Summary

SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected.

The OIDC specification requires redirect_uri to be pre-registered and not derived from untrusted input. Constructing it from the Host header violates this requirement and introduces a trust boundary break. This risk is actively amplified by SignalK's official documentation, which instructs administrators to deploy an Nginx configuration that forwards the vulnerable Host header, exposing production environments.

Vulnerability Root Cause

Two factors combine to create this vulnerability:

Factor 1: redirectUri is optional with an unsafe fallback In types.ts:30, redirectUri is declared as optional

export interface OIDCConfig {
  // ...
  redirectUri?: string   // ← Optional, no default value
  // ...
}

The defaults in types.ts:175-185 do not include a redirectUri: never checks or warns about a missing redirectUri. This means a fully "valid" OIDC configuration can exist without redirectUri, silently activating the vulnerable fallback path.

export const OIDC_DEFAULTS: Omit<OIDCConfig, 'issuer' | 'clientId' | 'clientSecret'> = {
  enabled: false,
  scope: 'openid email profile',
  defaultPermission: 'readonly',
  autoCreateUsers: true,
  providerName: 'SSO Login',
  autoLogin: false
  // ← No redirectUri default
}

Factor 2: Unsafe Host header usage in two locations Location 1 — Login handler in oidc-auth.ts:278-282:

const protocol = req.secure ? 'https' : 'http'
const host = req.get('host')                          // ← Attacker-controlled
const redirectUri =
  oidcConfig.redirectUri ||                            // ← Only safe if explicitly set
  `${protocol}://${host}${skAuthPrefix}/oidc/callback` // ← Uses attacker's Host

This redirectUri flows into createAuthState() → buildAuthorizationUrl() → OIDC provider's redirect_uri parameter. The OIDC provider will then send the authorization code to whatever domain was injected.

Location 2 — Logout handler in oidc-auth.ts:513-515:

const protocol = req.secure ? 'https' : 'http'
const host = req.get('host')                            // ← Same pattern
const fullPostLogoutUri = `${protocol}://${host}${postLogoutRedirect}`

This constructs the post_logout_redirect_uri sent to the OIDC provider's end_session_endpoint, allowing an attacker to redirect the user to an attacker controlled domain after logout.

Official Documentation Enables the Attack

SignalK's own security documentation at docs/security.md:222-228 provides the recommended nginx reverse proxy configuration: The proxy_set_header Host $host; directive forwards the client-supplied Host header to the backend unmodified. Without this directive, nginx would replace the Host header with the upstream address (localhost:3000), which would neutralize the injection.

location / {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;   # ← Forwards client's Host header to SignalK
}

Administrators who follow the official documentation are directly enabling this vulnerability behind their reverse proxy.

Proof of Concept

Tested against SignalK Server v2.23.0 in Docker with OIDC enabled .

Step 1 — Send login request with injected Host header: $response = Invoke-WebRequest -Uri "http://localhost:3000/signalk/v1/auth/oidc/login" -Headers @{"Host"="evil.com"} -MaximumRedirection 0 -ErrorAction SilentlyContinue -UseBasicParsing

Step 2: Decode and print the injected redirect URL [uri]::UnescapeDataString($response.Headers.Location) Screenshot 2026-03-25 171251

Impact

  • Authorization Code Theft: The OIDC provider sends the OAuth authorization code to the attacker's domain instead of the legitimate server.
  • Session Hijack: The attacker can exchange the stolen code for tokens and create a session as the victim user.
  • Logout Redirect Hijack: The logout handler has the same pattern, allowing post-logout redirection to an attacker domain (phishing opportunity).
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.20.0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:43:22Z",
    "nvd_published_at": "2026-04-02T17:16:23Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nSignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an **attacker spoof the Host header** to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected.\n\n_The OIDC specification requires redirect_uri to be pre-registered and not derived from untrusted input. Constructing it from the Host header violates this requirement and introduces a trust boundary break._\nThis risk is actively amplified by SignalK\u0027s official documentation, which instructs administrators to deploy an Nginx configuration that forwards the vulnerable Host header, exposing production environments.\n\n## Vulnerability Root Cause\n\nTwo factors combine to create this vulnerability:\n\n**Factor 1: redirectUri is optional with an unsafe fallback**\nIn types.ts:30, redirectUri is declared as optional\n```\nexport interface OIDCConfig {\n  // ...\n  redirectUri?: string   // \u2190 Optional, no default value\n  // ...\n}\n```\n\nThe defaults in types.ts:175-185 do not include a redirectUri: never checks or warns about a missing redirectUri. This means a fully \"valid\" OIDC configuration can exist without redirectUri, silently activating the vulnerable fallback path.\n```\nexport const OIDC_DEFAULTS: Omit\u003cOIDCConfig, \u0027issuer\u0027 | \u0027clientId\u0027 | \u0027clientSecret\u0027\u003e = {\n  enabled: false,\n  scope: \u0027openid email profile\u0027,\n  defaultPermission: \u0027readonly\u0027,\n  autoCreateUsers: true,\n  providerName: \u0027SSO Login\u0027,\n  autoLogin: false\n  // \u2190 No redirectUri default\n}\n```\n\n**Factor 2: Unsafe Host header usage in two locations**\nLocation 1 \u2014 Login handler in oidc-auth.ts:278-282:\n```\nconst protocol = req.secure ? \u0027https\u0027 : \u0027http\u0027\nconst host = req.get(\u0027host\u0027)                          // \u2190 Attacker-controlled\nconst redirectUri =\n  oidcConfig.redirectUri ||                            // \u2190 Only safe if explicitly set\n  `${protocol}://${host}${skAuthPrefix}/oidc/callback` // \u2190 Uses attacker\u0027s Host\n\n```\nThis redirectUri flows into createAuthState() \u2192 buildAuthorizationUrl() \u2192 OIDC provider\u0027s redirect_uri parameter. The OIDC provider will then send the authorization code to whatever domain was injected.\n\nLocation 2 \u2014 Logout handler in oidc-auth.ts:513-515:\n```\nconst protocol = req.secure ? \u0027https\u0027 : \u0027http\u0027\nconst host = req.get(\u0027host\u0027)                            // \u2190 Same pattern\nconst fullPostLogoutUri = `${protocol}://${host}${postLogoutRedirect}`\n```\nThis constructs the post_logout_redirect_uri sent to the OIDC provider\u0027s end_session_endpoint, allowing an attacker to redirect the user to an attacker controlled domain after logout.\n\n### Official Documentation Enables the Attack\n\nSignalK\u0027s own security documentation at docs/security.md:222-228 provides the recommended nginx reverse proxy configuration:\nThe proxy_set_header Host $host; directive forwards the client-supplied Host header to the backend unmodified. Without this directive, nginx would replace the Host header with the upstream address (localhost:3000), which would neutralize the injection.\n```\nlocation / {\n    proxy_pass http://localhost:3000;\n    proxy_set_header X-Forwarded-For $remote_addr;\n    proxy_set_header X-Forwarded-Proto $scheme;\n    proxy_set_header Host $host;   # \u2190 Forwards client\u0027s Host header to SignalK\n}\n```\nAdministrators who follow the official documentation are directly enabling this vulnerability behind their reverse proxy.\n\n## Proof of Concept \nTested against SignalK Server v2.23.0 in Docker with OIDC enabled .\n\n**Step 1 \u2014 Send login request with injected Host header:**\n`$response = Invoke-WebRequest -Uri \"http://localhost:3000/signalk/v1/auth/oidc/login\" -Headers @{\"Host\"=\"evil.com\"} -MaximumRedirection 0 -ErrorAction SilentlyContinue -UseBasicParsing`\n\n**Step 2: Decode and print the injected redirect URL**\n`[uri]::UnescapeDataString($response.Headers.Location)\n`\n\u003cimg width=\"1259\" height=\"211\" alt=\"Screenshot 2026-03-25 171251\" src=\"https://github.com/user-attachments/assets/6e4a9655-639e-48c2-a7f0-06e17ad471ff\" /\u003e\n\n## Impact\n\n* **Authorization Code Theft:** The OIDC provider sends the OAuth authorization code to the attacker\u0027s domain instead of the legitimate server.\n* **Session Hijack:** The attacker can exchange the stolen code for tokens and create a session as the victim user.\n* **Logout Redirect Hijack:** The logout handler has the same pattern, allowing post-logout redirection to an attacker domain (phishing opportunity).",
  "id": "GHSA-cxj8-ggf2-p57c",
  "modified": "2026-04-03T21:43:22Z",
  "published": "2026-04-03T21:43:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34083"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow"
}

GHSA-F258-75GH-Q3V9

Vulnerability from github – Published: 2023-12-20 00:32 – Updated: 2026-04-28 21:33
VLAI
Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Parcel Pro.This issue affects Parcel Pro: from n/a through 1.6.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-19T22:15:07Z",
    "severity": "MODERATE"
  },
  "details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Parcel Pro.This issue affects Parcel Pro: from n/a through 1.6.11.",
  "id": "GHSA-f258-75gh-q3v9",
  "modified": "2026-04-28T21:33:27Z",
  "published": "2023-12-20T00:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46624"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/woo-parcel-pro/wordpress-parcel-pro-plugin-1-6-3-open-redirection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F2G3-6RQ6-34PC

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2023-05-23 15:30
VLAI
Details

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-07T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an \"Open Redirect\" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).",
  "id": "GHSA-f2g3-6rq6-34pc",
  "modified": "2023-05-23T15:30:25Z",
  "published": "2022-05-24T17:13:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11515"
    },
    {
      "type": "WEB",
      "url": "https://rankmath.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/seo-by-rank-math/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F2W7-FCQJ-G66G

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:19:33Z",
    "severity": "MODERATE"
  },
  "details": "Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.",
  "id": "GHSA-f2w7-fcqj-g66g",
  "modified": "2026-06-17T18:35:45Z",
  "published": "2026-06-17T18:35:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10839"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F3G8-9XV5-77GV

Vulnerability from github – Published: 2026-04-16 23:00 – Updated: 2026-05-11 13:29
VLAI
Summary
Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
Details

Summary

Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL.

Details

Vulnerable function: packages/server/routes/utils.js:393-395

const is_relative_url = (url) => {
  return typeof url === "string" && !url.includes(":/") && !url.includes("//");
};

The function's intent is to allow only same-origin redirects, but the allow-list only checks for two literal substrings. It does not handle: - backslash characters, which WHATWG URL parsing (used by every modern browser) treats as forward slashes for the special schemes http, https, ftp, ws, wss. A URL parser fed /\evil.com/path with a base of http://victim/ resolves to http://evil.com/path. - non-http(s): schemes that do not contain :/. The strings javascript:alert(1), data:text/html,..., vbscript:... all pass.

Vulnerable callsite: packages/server/auth/routes.js:1371-1376

} else if (
  (req.body || {}).dest &&
  is_relative_url(decodeURIComponent((req.body || {}).dest))
) {
  res.redirect(decodeURIComponent((req.body || {}).dest));
} else res.redirect("/");

The body's dest is URL-decoded twice (once by body-parser, once by the explicit decodeURIComponent) and the same value is passed to res.redirect. Express 5's res.redirect runs the value through encodeurl@2.0.0, whose whitelist character class [^\x21\x23-\x3B\x3D\x3F-\x5F\x61-\x7A\x7C\x7E] includes \x5C (backslash). The backslash is therefore not percent-encoded and ends up verbatim in the Location response header.

PoC

poc.zip

Please extract the uploaded compressed file before proceeding 1. ./setup.sh 2. ./poc.sh

스크린샷 2026-04-13 오후 11 44 36

Impact

Any user who can be lured into clicking a Saltcorn login URL crafted by the attacker will, after submitting their valid credentials, be redirected to an attacker-controlled origin. The redirect happens under the trusted Saltcorn domain, so the user has no visual cue that they are about to leave the site. Realistic abuse patterns:

  • Credential phishing — the attacker's site renders a forged "session expired, please log in again" prompt to capture the password the user just typed.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0-beta.0"
            },
            {
              "fixed": "1.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0-alpha.0"
            },
            {
              "fixed": "1.6.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T23:00:45Z",
    "nvd_published_at": "2026-05-07T20:16:44Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSaltcorn validates the post-login `dest` parameter with a string check that only blocks `:/` and `//`. Because all WHATWG-compliant browsers normalise backslashes (`\\`) to forward slashes (`/`) for special schemes, a payload such as `/\\evil.com/path` slips through `is_relative_url()`, is emitted unchanged in the HTTP `Location` header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL.\n\n### Details\nVulnerable function: `packages/server/routes/utils.js:393-395`\n\n```js\nconst is_relative_url = (url) =\u003e {\n  return typeof url === \"string\" \u0026\u0026 !url.includes(\":/\") \u0026\u0026 !url.includes(\"//\");\n};\n```\n\nThe function\u0027s intent is to allow only same-origin redirects, but the allow-list only checks for two literal substrings. It does not handle:\n- backslash characters, which WHATWG URL parsing (used by every modern browser) treats as forward slashes for the special schemes `http`, `https`, `ftp`, `ws`, `wss`. A URL parser fed `/\\evil.com/path` with a base of `http://victim/` resolves to `http://evil.com/path`.\n- non-`http(s):` schemes that do not contain `:/`. The strings `javascript:alert(1)`, `data:text/html,...`, `vbscript:...` all pass.\n\nVulnerable callsite: `packages/server/auth/routes.js:1371-1376`\n\n```js\n} else if (\n  (req.body || {}).dest \u0026\u0026\n  is_relative_url(decodeURIComponent((req.body || {}).dest))\n) {\n  res.redirect(decodeURIComponent((req.body || {}).dest));\n} else res.redirect(\"/\");\n```\n\nThe body\u0027s `dest` is URL-decoded twice (once by body-parser, once by the explicit `decodeURIComponent`) and the same value is passed to `res.redirect`. Express 5\u0027s `res.redirect` runs the value through `encodeurl@2.0.0`, whose whitelist character class `[^\\x21\\x23-\\x3B\\x3D\\x3F-\\x5F\\x61-\\x7A\\x7C\\x7E]` includes `\\x5C` (backslash). The backslash is therefore not percent-encoded and ends up verbatim in the `Location` response header.\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26678853/poc.zip)\n\nPlease extract the uploaded compressed file before proceeding\n1. ./setup.sh\n2. ./poc.sh\n\n\u003cimg width=\"419\" height=\"71\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-04-13 \u110b\u1169\u1112\u116e 11 44 36\" src=\"https://github.com/user-attachments/assets/9c919ed4-167b-47e3-9873-733f97b44bf0\" /\u003e\n\n### Impact\nAny user who can be lured into clicking a Saltcorn login URL crafted by the attacker will, after submitting their valid credentials, be redirected to an attacker-controlled origin. The redirect happens under the trusted Saltcorn domain, so the user has no visual cue that they are about to leave the site. Realistic abuse patterns:\n\n- Credential phishing \u2014 the attacker\u0027s site renders a forged \"session expired, please log in again\" prompt to capture the password the user just typed.",
  "id": "GHSA-f3g8-9xv5-77gv",
  "modified": "2026-05-11T13:29:07Z",
  "published": "2026-04-16T23:00:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)"
}

GHSA-F3JJ-8CHJ-C8M4

Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2026-04-01 18:36
VLAI
Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in GoodBarber GoodBarber. This issue affects GoodBarber: from n/a through 1.0.26.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T17:15:45Z",
    "severity": "MODERATE"
  },
  "details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in GoodBarber GoodBarber. This issue affects GoodBarber: from n/a through 1.0.26.",
  "id": "GHSA-f3jj-8chj-c8m4",
  "modified": "2026-04-01T18:36:07Z",
  "published": "2025-09-09T18:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39523"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/goodbarber/vulnerability/wordpress-goodbarber-1-0-26-open-redirection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3RF-CR7F-CWC4

Vulnerability from github – Published: 2024-02-20 06:30 – Updated: 2025-07-29 12:23
VLAI
Summary
Liferay Portal and Liferay DXP Vulnerable to Open Redirect in Countries Management's Edit Region Page
Details

Open redirect vulnerability in the Countries Management’s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.3.45-ga45"
            },
            {
              "fixed": "7.4.3.102-ga102"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.Q3"
            },
            {
              "fixed": "2023.Q3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.13.u45"
            },
            {
              "last_affected": "7.4.13.u92"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T12:23:26Z",
    "nvd_published_at": "2024-02-20T06:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in the Countries Management\u2019s edit region page in Liferay Portal 7.4.3.45 through 7.4.3.101, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 45 through 92 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_address_web_internal_portlet_CountriesManagementAdminPortlet_redirect parameter.",
  "id": "GHSA-f3rf-cr7f-cwc4",
  "modified": "2025-07-29T12:23:26Z",
  "published": "2024-02-20T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/26277c22498eb03bb192bbe9e5d2ee34d213780b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-5190"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP Vulnerable to Open Redirect in Countries Management\u0027s Edit Region Page"
}

GHSA-F4F7-96RJ-QRP5

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-20 00:00
VLAI
Details

OpenAM Consortium Edition version 14.0.0 provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601). When accessing an affected server through some specially crafted URL, the user may be redirected to an arbitrary website.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-15T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenAM Consortium Edition version 14.0.0 provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601). When accessing an affected server through some specially crafted URL, the user may be redirected to an arbitrary website.",
  "id": "GHSA-f4f7-96rj-qrp5",
  "modified": "2022-09-20T00:00:29Z",
  "published": "2022-09-16T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openam-jp/openam/issues/259"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU99326969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4GP-5RMP-P2PW

Vulnerability from github – Published: 2023-12-19 21:32 – Updated: 2026-04-28 21:33
VLAI
Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Doofinder Doofinder WP & WooCommerce Search.This issue affects Doofinder WP & WooCommerce Search: from n/a through 1.5.49.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-19T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Doofinder Doofinder WP \u0026 WooCommerce Search.This issue affects Doofinder WP \u0026 WooCommerce Search: from n/a through 1.5.49.",
  "id": "GHSA-f4gp-5rmp-p2pw",
  "modified": "2026-04-28T21:33:26Z",
  "published": "2023-12-19T21:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40602"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/doofinder-for-woocommerce/wordpress-doofinder-for-woocommerce-plugin-1-5-49-open-redirection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.