CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added yesterday•32 views

CVE-2026-44889

WebOb (HTTP request/response utilities) is affected prior to version 1.8.10 by an open redirect in Location header normalization during redirects. The vulnerability arises from how WebOb uses urljoin/urlsplit to combine the redirect target with the request URL; since Python 3.10, urlsplit strips ...

6.1CVSS5.9AI score0.00036EPSS

Cvelist•added yesterday•22 views

CVE-2026-44889 WebOb: Location header normalization during redirect leads to open redirect

6.1CVSS0.00036EPSS

RedhatCVE•added 5 days ago•6 views

CVE-2026-33244

A flaw was found in react-router. When using Framework Mode with pre-rendering enabled, an attacker can exploit improper handling of the HTTP Location header value. This can lead to Cross-Site Scripting XSS, allowing malicious scripts to be injected into statically generated HTML files if the...

5.4CVSS5.2AI score0.00144EPSS

OSV•added 2026/06/12 12:28 p.m.•6 views

OESA-2026-2679 python-webob security update

WebOb provides wrappers around the WSGI request environment, and an object to help create WSGI responses. The objects map much of the specified behavior of HTTP, including header parsing and accessors for other standard parts of the environment. Security Fixes: Impact When WebOb normalizes the HT...

6.1CVSS5.3AI score0.00036EPSS

Exploits0References2

OSV•added 2026/06/04 2:33 p.m.•4 views

GHSA-FH3H-VG37-CC95 WebOb: Location header normalization during redirect leads to open redirect - again

Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urllib.parse, and joining it to the base URL. urlsplit called internally by urljoin however treats a // at the start of a string ...

6.1CVSS5.7AI score0.00036EPSS

Exploits0References6

Github Security Blog•added 2026/06/04 2:33 p.m.•25 views

WebOb: Location header normalization during redirect leads to open redirect - again

6.1CVSS5.7AI score0.00472EPSS

Exploits1References6Affected Software1

Positive Technologies•added 2026/06/04 12:0 a.m.•13 views

PT-2026-46304

Name of the Vulnerable Software and Affected Versions WebOb versions prior to 1.8.10 Description An open redirect occurs when the software normalizes the HTTP Location header to include the request hostname. The process involves parsing the redirect URL using Python's urllib.parse and joining it ...

6.1CVSS5.3AI score0.00036EPSS

Exploits0References13

EUVD•added 2026/06/03 8:33 p.m.•13 views

EUVD-2026-33986

React Router has stored XSS via unescaped Location header in prerendered redirect HTML...

Github Security Blog•added 2026/06/03 8:33 p.m.•13 views

Exploits0References2

React Router has stored XSS via unescaped Location header in prerendered redirect HTML

When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in statically generated HTML files if the redirect location comes from an untrusted source. !NOTE This does not impact your React...

Exploits0References3Affected Software1

OSV•added 2026/06/03 8:33 p.m.•6 views

GHSA-F22V-GFQF-P8F3 React Router has stored XSS via unescaped Location header in prerendered redirect HTML

SUSE CVE•added 2026/06/03 2:25 a.m.•13 views

Exploits0References3

SUSE CVE-2026-33244

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in the statically generated HTML files if the redirect location comes from an...

Positive Technologies•added 2026/06/03 12:0 a.m.•13 views

Exploits0References3

PT-2026-46095

NVD•added 2026/06/02 5:16 p.m.•10 views

CVE-2026-33244

5.4CVSS0.00144EPSS

Cvelist•added 2026/06/02 4:59 p.m.•30 views

CVE-2026-33244 React Router has stored XSS via unescaped Location header in prerendered redirect HTML

5.4CVSS0.00144EPSS

Positive Technologies•added 2026/06/02 12:0 a.m.•10 views

PT-2026-45799

Name of the Vulnerable Software and Affected Versions React Router versions 7.5.1 through 7.13.1 Description When using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS—a vulnerability where malicious scripts...

CNNVD•added 2026/06/02 12:0 a.m.•4 views

react-router 跨站脚本漏洞

react-router is a declarative routing library for React, open-sourced by Remix. Versions of react-router from 7.5.1 to 7.13.1 have a cross-site scripting vulnerability. This vulnerability stems from improper handling of the HTTP Location header value in framework mode with pre-rendering enabled,...

5.4CVSS5AI score0.00144EPSS

EUVD•added 2026/06/01 7:41 p.m.•16 views

EUVD-2026-33757

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

5.3CVSS5.8AI score0.00287EPSS

NVD•added 2026/05/28 6:16 p.m.•11 views

CVE-2026-45307

Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the issafeurl helper used to validate post-login redirect targets applied urljoinrequest.hosturl, target before parsing, while the controller passed the raw target to redirect. A...

6.1CVSS0.00153EPSS