CWE-601

Low likelihood

URL Redirection to Untrusted Site ('Open Redirect')

Parent: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

1,513 vulnerabilities with CWE-601
CVE-2026-34257 MEDIUM
Open Redirect vulnerability in SAP NetWeaver Application Server ABAP
CVSS 6.1
CVE-2026-6203 MEDIUM
User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter
CVSS 6.1
CVE-2026-39940 MEDIUM
ChurchCRM <7.0.0 DonatedItemEditor.php linkBack - Open Redirect
CVE-2026-32932 MEDIUM
Chamilo LMS Session Course Edit page - Open Redirect
CVSS 4.7
CVE-2026-22560 MEDIUM
Rocket.Chat < 8.4.0 - Open Redirect via SAML Endpoint Parameter Manipulation
CVSS 5.3
CVE-2026-25854 MEDIUM
Apache Tomcat: Occasionally open redirect
CVSS 6.1
CVE-2026-39985 MEDIUM
LORIS Login redirect Parameter - Open Redirect
CVSS 4.3
CVE-2026-40037 MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
CVSS 6.5
CVE-2026-39484 MEDIUM
WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection vulnerability
CVSS 4.7
CVE-2026-23818 HIGH
Open Redirect Vulnerability in HPE Aruba Networking Private 5G Core On-Prem
CVSS 8.8
CVE-2026-35475 MEDIUM
WeGIA - Open Redirect - backup redirection — Unvalidated $_GET['redirect']
CVSS 6.1
CVE-2026-35474 MEDIUM
WeGIA - Open Redirect - atualizacao redirection - Unvalidated $_GET['redirect']
CVSS 6.1
CVE-2026-35473 MEDIUM
WeGIA - Open Redirect - IentradaControle - listarId() - Unvalidated $_GET['nextPage']
CVSS 6.1
CVE-2026-35411 MEDIUM
Directus is an Open Redirect in Admin 2FA Setup Page
CVSS 4.3
CVE-2026-35410 MEDIUM
Directus <11.16.1 OAuth2/SAML Login - Open Redirect
CVSS 6.1
CVE-2026-35404 MEDIUM
Open edX Platform view_survey redirect_url - Open Redirect
CVSS 4.7
CVE-2026-35472 MEDIUM
WeGIA - Open Redirect - EstoqueControle - listarTodos() - Unvalidated $_GET['nextPage']
CVSS 6.1
CVE-2026-35398 MEDIUM
WeGIA - Open Redirect - OrigemControle - listarTodos() & listarId_Nome() - Unvalidated $_GET['nextPage']
CVSS 6.1
CVE-2026-35396 MEDIUM
WeGIA - Open Redirect - IsaidaControle - listarId() - Unvalidated $_GET['nextPage']
CVSS 6.1
CVE-2026-33510 HIGH
DOM-Based XSS in Homarr /auth/login Redirect
CVSS 8.8
CVE-2026-33709 MEDIUM
JupyterHub <5.4.4 Login Flow - Open Redirect
CVSS 6.1
CVE-2026-5467 MEDIUM
Casdoor OAuth Authorization Request redirect
CVSS 4.3
CVE-2026-34931 CRITICAL
hoppscotch: Improper loopback redirect_uri validation in device-login flow
CVSS 9.6
CVE-2026-34847 MEDIUM
hoppscotch: Open redirect via `/enter?redirect=`
CVSS 4.7
CVE-2026-34083 MEDIUM
signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
CVSS 6.1
Details
Vulnerabilities 1,513
Exploit Likelihood Low
Links
MITRE CWE Entry Search this CWE With Exploits