Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler

Summary The SAML authentication success handler in Kimai returns the RelayState POST parameter as a redirect destination without validating the host or scheme. After a user successfully authenticates via SAML, they are redirected to an attacker-controlled URL if the IdP includes a malicious...

Open Redirect

Directus is vulnerable to Open Redirect. The vulnerability is due to improper validation of the RelayState parameter in the SAML authentication callback endpoint, which allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL after login...

CVE-2026-22032

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the RelayState parameter is intended to preserve the user's original...

PT-2026-2139

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.14.0 Description Directus is a real-time API and App dashboard for managing SQL database content. An open redirect exists in the Directus SAML authentication callback endpoint. The RelayState parameter, intended t...

CVE-2025-61782 Open Redirect in OpenCTI's SAML Authentication Flow

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint /auth/saml/callback. By manipulating the RelayState parameter, an attacker can...

CVE-2025-61782

OpenCTI prior to version 6.8.3 contains an open redirect in the SAML callback endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can trigger a 302 redirect to an arbitrary external URL, enabling phishing and credential theft. Remediation: upgrade to version 6.8....

Directus has open redirect in SAML

Security Advisory: Open Redirect in Directus SAML Authentication Summary An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The RelayState parameter is used in redirects without proper validation against an allowlist of permitted domains. Vulnerability...

Open Redirect

Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Open Redirect via the RelayState parameter, which is used in redirects without proper validation against an allowlist of permitted domains. An attacker...

Mattermost Server 10.5.x < 10.5.11 / 10.10.x < 10.10.3 / 10.11.x 10.11.2 / 10.12.0 Multiple Vulnerabilities (MMSA-2025-00507, MMSA-2025-00508)

The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities as referenced in the MMSA-2025-00507, MMSA-2025-00508 advisories. - Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.3, 10.5.x = 10.5.10 fail to verify a user has permission to join a...

OpenVPN Access Server 安全漏洞

OpenVPN Access Server is a web-based VPN management interface from OpenVPN, Inc. A security vulnerability exists in OpenVPN Access Server versions 2.14.0 through 2.14.3, which stems from the RelayState parameter in the SAML Authentication module not being filtered correctly, which could lead to...

Mattermost has a Missing Authorization vulnerability

Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...

Missing Authorization

Overview github.com/mattermost/mattermost/server/v8/channels/web is a platform for secure collaboration across the entire software development lifecycle Affected versions of this package are vulnerable to Missing Authorization in the RelayState parameter. An attacker can gain unauthorized access ...

Missing Authorization

Overview github.com/mattermost/mattermost-server is an open source Slack-alternative in Golang and React. Affected versions of this package are vulnerable to Missing Authorization in the RelayState parameter. An attacker can gain unauthorized access to any team by manipulating the RelayState...

GHSA-R6QJ-894F-5HR2 Mattermost has a Missing Authorization vulnerability

Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...

CVE-2025-58075

Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...

CVE-2025-58075 Arbitrary Mattermost Team can be joined by manipulating the SAML RelayState

Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability in Mattermost versions 10.11.1 and prior to 10.11.x, 10.10.2 and prior to 10.10.x, and 10.5.10 and prior to 10.5.x stems from a failure to validate that a user has the privileg...

CVE-2025-9072

Mattermost CVE-2025-9072 is an open redirect vulnerability in Mattermost Server where the redirect_to parameter is not validated in certain versions (10.10.x &lt;= 10.10.1, 10.5.x &lt;= 10.5.9, 10.9.x

CVE-2020-6850

Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element...

GHSA-34Q3-P352-C7Q8 Central Dogma Authentication Bypass Vulnerability via Session Leakage

Vulnerability Overview A vulnerability has been identified in Central Dogma versions prior to 0.64.1, allowing for the leakage of user sessions and subsequent authentication bypass. The issue stems from a Cross-Site Scripting XSS attack vector that targets the RelayState of Security Assertion...