CWE-601(URL Redirection to Untrusted Site ('Open Redirect'))は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE カタログからの補足説明(MITRE XHTML を基に表示)。
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
| technology | Web Server | — | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-21826 | 2026-06-05 | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected w… |
| CVE-2026-10861 | 2026-06-04 | An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination wi… |
| CVE-2026-10856 | 2026-06-04 | A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation r… |
| CVE-2026-43924 | 2026-06-03 | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs befor… |
| CVE-2026-41569 | 2026-06-02 | authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL… |
| CVE-2026-40181 | 2026-06-02 | React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to pa… |
| CVE-2026-45278 | 2026-06-01 | Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses t… |
| CVE-2026-40961 | 2026-06-01 | A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-c… |
| CVE-2026-49380 | 2026-05-29 | In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible |
| CVE-2026-45307 | 2026-05-28 | Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljo… |
| CVE-2026-44681 | 2026-05-27 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorizat… |
| CVE-2026-45335 | 2026-05-27 | WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically thr… |
| CVE-2026-49059 | 2026-05-27 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0. |
| CVE-2026-48924 | 2026-05-27 | Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. |
| CVE-2026-44833 | 2026-05-26 | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header … |
| CVE-2026-48589 | 2026-05-25 | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could… |
| CVE-2026-44598 | 2026-05-25 | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha … |
| CVE-2026-47070 | 2026-05-25 | Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the… |
| CVE-2026-48832 | 2026-05-24 | action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability. |
| CVE-2026-40295 | 2026-05-22 | Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referr… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Relationships, Observed_Example, Taxonomy_Mappings |
| 2008-10-03 | CWE Content Team | 1.1 | — | updated References and Observed_Examples |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Alternate_Terms, Observed_Examples, References |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Name |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Applicable_Platforms, Common_Consequences, Detection_Factors, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Demonstrative_Examples |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Common_Consequences, Potential_Mitigations, References, Relationships |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Relationships |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Potential_Mitigations, References |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated References, Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Detection_Factors, Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships, Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Related_Attack_Patterns |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Description, Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
| タイプ | 名称 | 日付 | コメント |
|---|---|---|---|
| Content | Michal Biesiada | 2023-11-25 | suggested that CWE include drive-by downloads and contributed references |