EUVD-2026-38221

An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains...

EUVD-2026-38127

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmationurl parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting...

CVE-2026-56332

Capgo

EUVD-2026-38018

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0,...

CVE-2026-44915

CVE-2026-44915 is an open redirect vulnerability in Apache APISIX caused by an unsanitized cookie value in the cas-auth plugin. Affected versions are 3.0.0 through 3.16.0. The issue can enable phishing/credential theft. Mitigation: upgrade to version 3.17.0, which contains the fix.

CVE-2026-53436

A flaw was found in Jenkins. The system improperly validates redirect URLs after login, specifically when they contain relative path segments such as ./ or ../. This vulnerability allows attackers to craft malicious URLs that appear legitimate, leading to successful phishing attacks against users...

CVE-2026-12049

A flaw was found in pgAdmin 4. This open redirect vulnerability exists in the multi-factor authentication MFA flow. An authenticated user could be tricked into clicking a specially crafted link, which would redirect them to an attacker-controlled website. This could increase the success rate of...

CVE-2026-12049 pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter

Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically...

CVE-2026-12049

CVE-2026-12049 affects pgAdmin 4. An open redirect vulnerability exists in the MFA flow where the next parameter is not validated against the current origin, allowing an authenticated user to be redirected to an attacker-controlled host via /mfa/validate?next=… This is a trusted-domain redirect r...

CVE-2026-10837

CVE-2026-10837 describes an open redirection vulnerability in a Password Manager caused by insufficient validation of the X-Forwarded-Host header. The issue allows an attacker to craft links that, when clicked by a victim, redirect to attacker-controlled domains, enabling phishing or deception wh...

PT-2026-49836

Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing...

EUVD-2026-35394

TYPO3 CMS has an Open Redirect Vulnerability via Core Utilities...

CVE-2026-50089

CVE-2026-50089 affects the Aqara IAM/SSO Gateway (gw-builder.aqara.com) and is described as an open redirect (CWE-601). The issue can be leveraged to conduct phishing via untrusted redirects. According to the sources, the CVSS v3.1 base score is 6.1 (Medium): Attack vector Network, Attack complex...

CVE-2026-50089 Aqara IAM/SSO Gateway open redirect

The Aqara IAM/SSO Gateway gw-builder.aqara.com provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 6.1 Medium, which can be used to set up a phishing attack...

EUVD-2026-36479

The Aqara IAM/SSO Gateway gw-builder.aqara.com provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 6.1 Medium, which can be used to set up a phishing attack...

CVE-2026-50089 Aqara IAM/SSO Gateway open redirect

The Aqara IAM/SSO Gateway gw-builder.aqara.com provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 6.1 Medium, which can be used to set up a phishing attack...

BIT-JENKINS-2026-53437

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

PT-2026-48913

The Aqara IAM/SSO Gateway gw-builder.aqara.com provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 6.1 Medium, which can be used to set up a phishing attack...

CVE-2026-47347

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This...

CVE-2026-53436

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments ./ or ../, allowing attackers to perform phishing attacks...