Total
1183 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-50578 | 2025-07-30 | N/A | 9.8 CRITICAL | ||
| LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application. | |||||
| CVE-2025-52897 | 2025-07-30 | N/A | 6.5 MEDIUM | ||
| GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19. | |||||
| CVE-2024-21684 | 1 Atlassian | 1 Bitbucket Data Center | 2025-07-30 | N/A | 4.3 MEDIUM |
| There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2. This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions. | |||||
| CVE-2024-4940 | 1 Gradio Project | 1 Gradio | 2025-07-29 | N/A | 6.1 MEDIUM |
| An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page. | |||||
| CVE-2024-1183 | 1 Gradio Project | 1 Gradio | 2025-07-29 | N/A | 6.5 MEDIUM |
| An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response. | |||||
| CVE-2025-54414 | 2025-07-29 | N/A | N/A | ||
| Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3. | |||||
| CVE-2025-44109 | 2025-07-25 | N/A | 5.4 MEDIUM | ||
| A URL redirection in Pinokio v3.6.23 allows attackers to redirect victim users to attacker-controlled pages. | |||||
| CVE-2025-50477 | 2025-07-25 | N/A | 5.4 MEDIUM | ||
| A URL redirection in lbry-desktop v0.53.9 allows attackers to redirect victim users to attacker-controlled pages. | |||||
| CVE-2025-4296 | 2025-07-25 | N/A | 4.7 MEDIUM | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in HotelRunner B2B allows Forceful Browsing.This issue affects B2B: before 04.06.2025. | |||||
| CVE-2025-8129 | 2025-07-25 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-5492 | 1 Citrix | 2 Netscaler Application Delivery Controller, Netscaler Gateway | 2025-07-25 | N/A | 6.1 MEDIUM |
| Open redirect vulnerability allows a remote unauthenticated attacker to redirect users to arbitrary websites in NetScaler ADC and NetScaler Gateway | |||||
| CVE-2024-6149 | 1 Citrix | 1 Workspace | 2025-07-25 | N/A | 6.1 MEDIUM |
| Redirection of users to a vulnerable URL in Citrix Workspace app for HTML5 | |||||
| CVE-2025-50067 | 1 Oracle | 1 Application Express | 2025-07-24 | N/A | 9.0 CRITICAL |
| Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Application Express. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2025-7863 | 2025-07-22 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in thinkgem JeeSite up to 5.12.0 and classified as problematic. Affected by this issue is the function redirectUrl of the file src/main/java/com/jeesite/common/web/http/ServletUtils.java. The manipulation of the argument url leads to open redirect. The attack may be launched remotely. The name of the patch is 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-7949 | 2025-07-22 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the argument url leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named c1e79f124e3f4c458315d908ed7dee06f9f12a76/f1af17af004ca9345c6fe4d5936d87d008d26e75. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-6023 | 2025-07-22 | N/A | 7.6 HIGH | ||
| An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | |||||
| CVE-2025-6197 | 2025-07-22 | N/A | 4.2 MEDIUM | ||
| An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | |||||
| CVE-2025-7785 | 2025-07-22 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in thinkgem JeeSite up to 5.12.0. This vulnerability affects the function sso of the file src/main/java/com/jeesite/modules/sys/web/SsoController.java. The manipulation of the argument redirect leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-7763 | 2025-07-22 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, was found in thinkgem JeeSite up to 5.12.0. Affected is the function select of the file src/main/java/com/jeesite/modules/cms/web/SiteController.java of the component Site Controller. The manipulation of the argument redirect leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-7953 | 2025-07-22 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS up to 5.202506.a. This issue affects some unknown processing of the file publiccms-parent/publiccms/src/main/webapp/resource/plugins/pdfjs/viewer.html. The manipulation of the argument File leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named f1af17af004ca9345c6fe4d5936d87d008d26e75. It is recommended to apply a patch to fix this issue. | |||||