CWE-601 · URL Redirection to Untrusted Site (Open Redirect)
1547 CVEs classified under CWE-601 (URL Redirection to Untrusted Site (Open Redirect)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2018-3774 | Critical | 10.0 | 2018-08-12 | Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protoco… |
CVE-2019-25282 | Critical | 9.8 | 2026-01-08 | V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attack… |
CVE-2020-36912 | Critical | 9.8 | 2026-01-06 | Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the… |
CVE-2025-43526 | Critical | 9.8 | 2025-12-17 | This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content o… |
CVE-2025-55031 | Critical | 9.8 | 2025-08-19 | Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have… |
CVE-2025-50578 | Critical | 9.8 | 2025-07-30 | LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An un… |
CVE-2024-22891 | Critical | 9.8 | 2024-03-01 | Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. |
CVE-2022-31657 | Critical | 9.8 | 2022-08-05 | VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authen… |
CVE-2026-54588 | Critical | 9.6 | 2026-06-23 | Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header… |
CVE-2026-53662 | Critical | 9.6 | 2026-06-23 | immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulner… |
CVE-2026-43941 | Critical | 9.6 | 2026-05-08 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler p… |
CVE-2026-6795 | Critical | 9.6 | 2026-05-07 | URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issu… |
CVE-2026-34931 | Critical | 9.6 | 2026-04-02 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. Wi… |
CVE-2022-40083 | Critical | 9.6 | 2022-09-28 | Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attacker… |
CVE-2022-28755 | Critical | 9.6 | 2022-08-11 | The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0 are susceptible to a URL parsing vulnerability. If a malicious… |
CVE-2026-33102 | Critical | 9.3 | 2026-04-23 | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. |
CVE-2022-41559 | Critical | 9.3 | 2022-12-06 | The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains an easily exploitable vulnerability that allows an unauthenticated attacker with networ… |
CVE-2019-6741 | Critical | 9.3 | 2019-06-03 | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SM… |
CVE-2025-54145 | Critical | 9.1 | 2025-08-19 | The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme… |
CVE-2024-33661 | Critical | 9.1 | 2024-04-26 | Portainer before 2.20.0 allows redirects when the target is not index.yaml. |