MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2026-25779 | Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values. | 該当なし | 該当なし | 2026-07-03 | 2026-07-03 |
| CVE-2026-41106 | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. | 9.3 | 該当なし | 2026-07-02 | 2026-07-02 |
| CVE-2026-55660 | Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source and post messages using non-specific target or | 7.6 | 0.20% | 2026-07-01 | 2026-07-02 |
| CVE-2026-58520 | URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing. This issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4. | 6.9 | 0.26% | 2026-07-01 | 2026-07-01 |
| CVE-2026-58450 | Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect authenticated victims to attacker-controlled external URLs by injecting a malicious value into the intended query parameter. Attackers can craft a client login link with an external URL in the intended parameter, which is stored in the session without host validation and emitted verbatim via a bare redirect in the ContactLoginController authenticated( | 5.3 | 0.18% | 2026-06-30 | 2026-07-02 |
| CVE-2026-10562 | An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829. | 5.9 | 0.30% | 2026-06-30 | 2026-07-02 |
| CVE-2026-40080 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil. | 6.1 | 0.15% | 2026-06-25 | 2026-06-29 |
| CVE-2026-52802 | Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fi | 5.4 | 0.55% | 2026-06-24 | 2026-06-25 |
| CVE-2026-13163 | Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid sign | 5.3 | 0.33% | 2026-06-24 | 2026-06-25 |
| CVE-2026-54588 | Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account | 9.6 | 0.31% | 2026-06-23 | 2026-06-25 |
| CVE-2026-47377 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1. | 5.1 | 0.24% | 2026-06-23 | 2026-06-25 |
| CVE-2026-53662 | immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payl | 9.6 | 0.24% | 2026-06-23 | 2026-06-25 |
| CVE-2026-56697 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft. | 5.3 | 0.18% | 2026-06-22 | 2026-06-25 |
| CVE-2026-56326 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft. | 5.3 | 0.20% | 2026-06-22 | 2026-06-25 |
| CVE-2026-44889 | WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-contro | 6.1 | 0.17% | 2026-06-22 | 2026-06-26 |
| CVE-2026-41479 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As a result, an attacker does not need a valid client registration, an authenticated user, or any prior state. | 5.4 | 0.15% | 2026-06-22 | 2026-06-26 |
| CVE-2026-54276 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This | 6.3 | 0.18% | 2026-06-22 | 2026-06-30 |
| CVE-2026-12863 | An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains. | 5.1 | 0.23% | 2026-06-22 | 2026-06-23 |
| CVE-2026-12804 | A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. Applying a patch is the recommended action to fix this issue. The vendor confirms, that "it has been fixed some days ago and | 2.1 | 0.26% | 2026-06-21 | 2026-06-22 |
| CVE-2026-56332 | Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks. | 5.1 | 0.18% | 2026-06-20 | 2026-06-22 |