CVE-2026-52802

Summary: CVE-2026-52802 affects Gogs prior to version 0.14.3, exposing an open redirect in redirects validated by IsSameSite. The check only examines the first two characters of the redirect_to value, failing to account for directory traversal sequences (e.g., /a/../\example.com). When browsers n...

EUVD-2026-38759

Open redirect vulnerability CWE-601 in the saferedirect function of the click-tracking endpoint /c// in Mailerup 1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the...

GHSA-XXHQ-69MF-W8CR Gogs has an Open Redirect via redirect_to

Summary An open redirect vulnerability exists in Gogs where attacker-controlled redirectto parameters can bypass validation, allowing redirection to arbitrary external sites. Details All redirects in Gogs that are validated via the IsSameSite function are vulnerable: go func IsSameSiteurl string...

EUVD-2026-38127

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmationurl parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the OAuth2Client function. An attacker can redirect users to arbitrary external sites by crafting a malicious link and tricking them into clicking it. Remediation A fix was pushed into the master branch but not yet...

CVE-2026-3318

Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the ‘returnUrl’ parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result,...

Open Redirect

Overview org.webjars.npm:nitropack is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Open Redirect via the routeRules function. An attacker can redirect users to arbitrary external sites by crafting URLs with double slashes after the route...

CVE-2025-61669

Jupyter Server (backend for Jupyter web apps) up to version 2.17.0 contains an open redirect in the login flow. The issue resides in LoginFormHandler._redirect_safe(), which does not sufficiently validate the next query parameter, allowing redirects to arbitrary external domains (e.g., ///example...

CVE-2026-35410

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via URL parsing differentials in unauthenticated endpoints. An attacker can redirect users to external sites by crafting malicious URLs that bypass external URL detection after actions such as form submissions or...

CVE-2026-29105 SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect...

PYSEC-2026-56

An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled it is disabled by default, which may allow an attacker to redirect users to an arbitrary external website via a crafted URL...

isURLInPortal 输入验证错误漏洞

isURLInPortal is a Plone open-source URL security check patch for Plone. Versions prior to 2.1.0, 3.1.0, and 4.0.0 of isURLInPortal had a input validation vulnerability that could lead to redirection to external websites after login...

PT-2026-23133

Name of the Vulnerable Software and Affected Versions django-allauth versions prior to 65.14.1 Description An open redirect issue exists when SAML IdP initiated SSO is enabled, which is disabled by default. This may allow an attacker to redirect users to an arbitrary external website through a...

CVE-2026-1628

Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...

CVE-2026-1628 Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.

Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...

Mattermost Desktop App 安全漏洞

The Mattermost Desktop App is a desktop application for messaging services provided by the American company Mattermost. The Mattermost Desktop App versions 5.13.3 and earlier contain security vulnerabilities. These vulnerabilities stem from the absence of restrictions on listeners that navigate t...

Eventum 3.3.4 Open Redirection

An open redirection vulnerability exists in Eventum Issue Tracker version 3.3.4. The vulnerability allows remote attackers to redirect users to arbitrary external websites. This issue is older research added to the archive...

OrangeForum 1.4.0 Open Redirection

An open redirection vulnerability exists in OrangeForum version 1.4.0. The vulnerability allows remote attackers to redirect users to arbitrary external websites. This issue is older research added to the archive...

CVE-2026-24768

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect open redirect vulnerability exists in NocoDB’s login flow due to missing validation of the continueAfterSignIn parameter. During authentication, NocoDB processes a user-controlled redirect...