99 matches found
SickChill - Open Redirect
SickChill's login endpoint's 'next' parameter accepts arbitrary content, allowing authenticated attackers to perform open redirects, but this was fixed in commit c7128a8946c3701df95c285810eb75b2de18bf82 by redirecting to a default page. id: CVE-2024-53995 info: name: SickChill - Open Redirect...
CVE-2026-12049
CVE-2026-12049 affects pgAdmin 4. An open redirect vulnerability exists in the MFA flow where the next parameter is not validated against the current origin, allowing an authenticated user to be redirected to an attacker-controlled host via /mfa/validate?next=… This is a trusted-domain redirect r...
CVE-2026-12049 pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically...
CVE-2026-55237
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting XSS vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter next, which is...
CVE-2026-55237 AutoGPT SignUp Page has DOM-Based XSS and Open Redirect
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting XSS vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter next, which is...
PT-2026-50815
Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 6.0 through 9.15 Description An open redirect exists in the multi-factor authentication MFA flow. The MFA validate and register endpoints, specifically '/mfa/validate', process the user-supplied next query or form parameter...
CVE-2026-45566
Roxy-WI unauthenticated login flow flaw (affecting 8.2.6.4 and prior) allows an open redirect via the next parameter. The code rejects strings containing https:// or http:// but then builds https://{request.host}{next_url} and redirects with window.location.replace(), not accounting for userinfo@...
EUVD-2026-36063
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://request.hostnexturl and the JS client redirects via...
CVE-2026-45566 Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://request.hostnexturl and the JS client redirects via...
PT-2026-48458
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://request.hostnext url and the JS client redirects via...
BIT-AIRFLOW-2026-40961 Apache Airflow: Open Redirect Bypass Vulnerability
A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the issafeurl check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to apache-airflow 3.2.2 or later. As a defense-in-dept...
CVE-2026-45307
Speakr prior to 0.8.20-alpha is vulnerable to an open redirect via the is_safe_url() helper. The validation used urljoin(request.host_url, target) before parsing, so a scheme-relative input like ////evil.com is resolved to a same-host URL during validation but is emitted verbatim in the Location ...
PT-2026-41962
Name of the Vulnerable Software and Affected Versions Nuxt versions 3.4.3 through 3.21.5 Nuxt versions 4.0.0-alpha.1 through 4.4.5 Description When using the navigateTo function with the external: true option, the software generates a server-side HTML redirect body containing a tag. The destinati...
CVE-2026-41513
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects...
CVE-2026-41513 Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects...
PT-2026-40245
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the trainerlogin function. An attacker can redirect a user's browser to an external, attacker-controlled URL by supplying a crafted next parameter, potentially exposing sensitive information such as the original URL...
GHSA-VQV8-J3MJ-WJXJ wger: trainer_login open redirect - ?next= parameter not validated against host
Summary The trainerlogin view in wger redirects to request.GET'next' directly via HttpResponseRedirect without calling urlhasallowedhostandscheme. After the trainer successfully enters impersonation mode, their browser is redirected to any attacker-controlled URL supplied in the ?next= parameter,...
wger: trainer_login open redirect - ?next= parameter not validated against host
Summary The trainerlogin view in wger redirects to request.GET'next' directly via HttpResponseRedirect without calling urlhasallowedhostandscheme. After the trainer successfully enters impersonation mode, their browser is redirected to any attacker-controlled URL supplied in the ?next= parameter,...
GHSA-QH7Q-6QM3-653W Jupyter Server has an open redirection vulnerability in `next` query parameter
Summary The ?next=... URL query parameter has an open redirection vulnerability. In jupyterserver=2.17.0, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users. Details The vulnerability is caused by...