Open Redirect in Feathersjs Feathers

CVE-2026-27191

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal…

Vulnerability class: Open Redirect

EPSS: 0.000 (1.6th percentile) — read the EPSS interpretation.

Affected products

Feathersjs Feathers — versions < 5.0.40

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p (x_refsource_CONFIRM)
https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401 (x_refsource_MISC)
https://github.com/feathersjs/feathers/releases/tag/v5.0.40 (x_refsource_MISC)