CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Extended context from the CWE catalog (rendered from MITRE XHTML).
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
| technology | Web Server | — | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-43924 | 2026-06-03 | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs befor… |
| CVE-2026-41569 | 2026-06-02 | authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL… |
| CVE-2026-40181 | 2026-06-02 | React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to pa… |
| CVE-2026-45278 | 2026-06-01 | Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses t… |
| CVE-2026-40961 | 2026-06-01 | A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-c… |
| CVE-2026-49380 | 2026-05-29 | In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible |
| CVE-2026-45307 | 2026-05-28 | Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljo… |
| CVE-2026-44681 | 2026-05-27 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorizat… |
| CVE-2026-45335 | 2026-05-27 | WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically thr… |
| CVE-2026-49059 | 2026-05-27 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0. |
| CVE-2026-48924 | 2026-05-27 | Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. |
| CVE-2026-44833 | 2026-05-26 | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header … |
| CVE-2026-48589 | 2026-05-25 | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could… |
| CVE-2026-44598 | 2026-05-25 | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha … |
| CVE-2026-47070 | 2026-05-25 | Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the… |
| CVE-2026-48832 | 2026-05-24 | action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability. |
| CVE-2026-40295 | 2026-05-22 | Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referr… |
| CVE-2026-2813 | 2026-05-20 | ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitatio… |
| CVE-2026-7504 | 2026-05-19 | A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially… |
| CVE-2025-65954 | 2026-05-18 | SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirec… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Relationships, Observed_Example, Taxonomy_Mappings |
| 2008-10-03 | CWE Content Team | 1.1 | — | updated References and Observed_Examples |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Alternate_Terms, Observed_Examples, References |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Name |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Applicable_Platforms, Common_Consequences, Detection_Factors, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Demonstrative_Examples |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Common_Consequences, Potential_Mitigations, References, Relationships |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Relationships |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Potential_Mitigations, References |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated References, Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Detection_Factors, Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships, Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Related_Attack_Patterns |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Description, Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| Type | Name | Date | Comment |
|---|---|---|---|
| Content | Michal Biesiada | 2023-11-25 | suggested that CWE include drive-by downloads and contributed references |