CWE-601 · URL Redirection to Untrusted Site (Open Redirect)

1547 CVEs classified under CWE-601 (URL Redirection to Untrusted Site (Open Redirect)). Browse by severity and year.

Top CVEs for CWE-601
CVESeverityScorePublishedSummary
CVE-2018-3774Critical10.02018-08-12Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protoco…
CVE-2019-25282Critical9.82026-01-08V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attack…
CVE-2020-36912Critical9.82026-01-06Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the…
CVE-2025-43526Critical9.82025-12-17This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content o…
CVE-2025-55031Critical9.82025-08-19Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have…
CVE-2025-50578Critical9.82025-07-30LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An un…
CVE-2024-22891Critical9.82024-03-01Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
CVE-2022-31657Critical9.82022-08-05VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authen…
CVE-2026-54588Critical9.62026-06-23Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header…
CVE-2026-53662Critical9.62026-06-23immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulner…
CVE-2026-43941Critical9.62026-05-08electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler p…
CVE-2026-6795Critical9.62026-05-07URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issu…
CVE-2026-34931Critical9.62026-04-02hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. Wi…
CVE-2022-40083Critical9.62022-09-28Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attacker…
CVE-2022-28755Critical9.62022-08-11The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0 are susceptible to a URL parsing vulnerability. If a malicious…
CVE-2026-33102Critical9.32026-04-23Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
CVE-2022-41559Critical9.32022-12-06The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains an easily exploitable vulnerability that allows an unauthenticated attacker with networ…
CVE-2019-6741Critical9.32019-06-03This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SM…
CVE-2025-54145Critical9.12025-08-19The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme…
CVE-2024-33661Critical9.12024-04-26Portainer before 2.20.0 allows redirects when the target is not index.yaml.