Total
1334 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57872 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | 6.1 Medium |
| There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. | ||||
| CVE-2025-54088 | 1 Absolute | 1 Secure Access | 2025-10-16 | 6.1 Medium |
| CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the console can redirect victims to an arbitrary URL. The attack complexity is low, attack requirements are present, no privileges are required, and users must actively participate in the attack. Impact to confidentiality is low and there is no impact to integrity or availability. There are high severity impacts to confidentiality, integrity, availability in subsequent systems. | ||||
| CVE-2024-4940 | 1 Gradio Project | 1 Gradio | 2025-10-15 | 6.1 Medium |
| An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page. | ||||
| CVE-2024-46886 | 2025-10-14 | 4.7 Medium | ||
| The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link. | ||||
| CVE-2025-0705 | 1 Joeybling | 1 Bootplus | 2025-10-10 | 4.3 Medium |
| A vulnerability has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this vulnerability is the function qrCode of the file src/main/java/io/github/controller/QrCodeController.java. The manipulation of the argument text leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | ||||
| CVE-2025-0970 | 1 Zenvia | 1 Movidesk | 2025-10-10 | 4.3 Medium |
| A vulnerability was found in Zenvia Movidesk up to 25.01.22. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /Account/Login. The manipulation of the argument ReturnUrl leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-40630 | 1 Icewarp | 1 Mail Server | 2025-10-09 | 6.1 Medium |
| Open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to redirect a user to any domain by sending a malicious URL to the victim, for example ā https://icewarp.domain.com//<MALICIOUS_DOMAIN>/%2e%2eā https://icewarp.domain.com///%2e%2eā . This vulnerability has been tested in Firefox. | ||||
| CVE-2025-3027 | 1 Primekey | 1 Ejbca | 2025-10-09 | 6.1 Medium |
| The vulnerability exists in the EJBCA service, version 8.0 Enterprise. By making a small change to the PATH of the URL associated with the service, the server fails to find the requested file and redirects to an external page. This vulnerability could allow users to be redirected to potentially malicious external sites, which can be exploited for phishing or other social engineering attacks. | ||||
| CVE-2025-11240 | 1 Knime | 1 Business Hub | 2025-10-08 | 7.2 High |
| An open redirect vulnerability existed in KNIME Business Hub prior to version 1.16.0. An unauthenticated remote attacker could craft a link to a legitimate KNIME Business Hub installation which, when opened by the user, redirects the user to a page of the attackers choice. This might open the possibility for fishing or other similar attacks. The problem has been fixed in KNIME Business Hub 1.16.0. | ||||
| CVE-2025-59426 | 1 Lobehub | 1 Lobe Chat | 2025-10-08 | 4.3 Medium |
| Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1. | ||||
| CVE-2025-61606 | 1 Wegia | 1 Wegia | 2025-10-07 | 6.1 Medium |
| WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain an Open Redirect vulnerability, identified in the control.php endpoint, specifically in the nextPage parameter (metodo=listarUmnomeClasse=FuncionarioControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This issue is fixed in version 3.5.0. | ||||
| CVE-2025-61587 | 1 Weblate | 1 Weblate | 2025-10-07 | 6.1 Medium |
| Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3. | ||||
| CVE-2025-0608 | 1 Logo Software | 1 Logo Cloud | 2025-10-06 | 5.5 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Logo Software Inc. Logo Cloud allows Phishing, Forceful Browsing.This issue affects Logo Cloud: before 2025.R6. | ||||
| CVE-2024-1440 | 1 Wso2 | 3 Api Manager, Identity Server, Identity Server As Key Manager | 2025-10-06 | 5.4 Medium |
| An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions. | ||||
| CVE-2024-46481 | 1 Venki | 1 Supravizio Bpm | 2025-10-03 | 7.2 High |
| The login page of Venki Supravizio BPM up to 18.1.1 is vulnerable to open redirect leading to reflected XSS. | ||||
| CVE-2024-55017 | 1 Corezoid | 1 Corezoid | 2025-10-02 | 7.5 High |
| Account Takeover in Corezoid 6.6.0 in the OAuth2 implementation via an open redirect in the redirect_uri parameter allows attackers to intercept authorization codes and gain unauthorized access to victim accounts. | ||||
| CVE-2025-25198 | 1 Mailcow | 2 Mailcow\, Mailcow Dockerized | 2025-10-01 | 7.1 High |
| mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings. | ||||
| CVE-2025-25012 | 1 Elastic | 1 Kibana | 2025-09-30 | 4.3 Medium |
| URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. | ||||
| CVE-2025-55625 | 1 Reolink | 1 Reolink | 2025-09-26 | 6.3 Medium |
| An open redirect vulnerability in Reolink v4.54.0.4.20250526 allows attackers to redirect users to a malicious site via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior that supports redirection to Alexa URLs, which are not guaranteed to remain at the same domain indefinitely. | ||||
| CVE-2025-58006 | 2 Crm Perks, Wordpress | 2 Wp Gravity Forms Keap/infusionsoft, Wordpress | 2025-09-25 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft allows Phishing. This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through 1.2.4. | ||||