807 matches found
JumpServer - Open Redirect via Referer Header
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. id:...
ZZcms - Cross-Site Scripting
ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. id: CVE-2020-20285 info: name: ZZcms -...
CVE-2026-55794
Craft CMS is a content management system CMS. In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries...
CVE-2026-55794
Craft CMS
libcurl 8.18.0 < 8.21.0 Persistent Referer Header Information Disclosure
The version of libcurl installed on the remote host is 8.18.0 prior to 8.21.0. It is, therefore, affected by an information disclosure vulnerability: - A vulnerability in libcurl caused the HTTP Referer header to persist even when explicitly cleared, potentially leaking sensitive information to...
PT-2026-52624
Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description An open redirect issue exists due to the use of a substring check instead of a host check within the str contains$referer, CACTI PATH URL logic. When the login opts variable is set to '1', the auth...
UBUNTU-CVE-2026-9546
A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPTREFERER suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously...
CURL-CVE-2026-9546 sending old referer
A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPTREFERER suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously...
Microsoft SharePoint Server - Authentication Bypass (ToolShell)
Microsoft Office SharePoint Server contains an improper authentication vulnerability that allows unauthorized attackers to perform spoofing over a network. By crafting a POST request to /layouts/15/ToolPane.aspx with a forged Referer header /layouts/SignOut.aspx, attackers can bypass authenticati...
Astra Linux – Vulnerability in curl
curl 7.1.1 up to and including 7.75.0 is vulnerable to a “Exposure of Private Personal Information to an Unauthorized Actor” by leaking credentials in the HTTP Referer: header. libcurl does not remove user credentials from the URL when automatically filling in the Referer: HTTP request header fie...
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?newkey=&keyname= The raw API key ends up: - in the browser's URL history - in the Referer header on every cross-origin asset the detai...
PT-2026-48602
Name of the Vulnerable Software and Affected Versions nebula-mesh versions prior to 0.3.2 Description After the handleOperatorCreateAPIKey function in internal/web/operators.go:251 generates a 32-byte bearer token, the application redirects the browser to the endpoint /ui/operators/?new key=&key...
Erlang/OTP -- httpc leaks authentication headers on cross-host redirect
https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports: The HTTP client httpc in inets now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port, following the requirements of RFC 9110 section...
CVE-2026-48589
A flaw was found in Apache Shiro's Jakarta EE module. Insufficient validation of the HTTP Referer header, a client-controlled value, could allow an attacker to influence the redirect target after a user login. This vulnerability can be exploited to redirect users to malicious sites, potentially...
CVE-2026-40295
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureAppredirecturl method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET...
CVE-2026-40598
Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page retrieved from the request's Referer header allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode...
CVE-2026-35572
ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts SSRF by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain,...
Shopware SSO referer trust leading to an arbitrary redirect target
Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...
GHSA-4X3X-869W-XX3M Shopware SSO referer trust leading to an arbitrary redirect target
Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...
PT-2026-46888
Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...