Total
1418 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54144 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 5.4 MEDIUM |
| The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141. | |||||
| CVE-2025-3859 | 1 Mozilla | 1 Firefox Focus | 2026-04-13 | N/A | 6.1 MEDIUM |
| Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage. This vulnerability was fixed in Focus 138. | |||||
| CVE-2025-3522 | 1 Mozilla | 1 Thunderbird | 2026-04-13 | N/A | 6.3 MEDIUM |
| Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2. | |||||
| CVE-2025-27426 | 2 Apple, Mozilla | 2 Iphone Os, Firefox | 2026-04-13 | N/A | 5.4 MEDIUM |
| Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136. | |||||
| CVE-2025-27424 | 2 Apple, Mozilla | 2 Iphone Os, Firefox | 2026-04-13 | N/A | 4.3 MEDIUM |
| Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page. This vulnerability was fixed in Firefox for iOS 136. | |||||
| CVE-2025-0244 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 5.3 MEDIUM |
| When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 134. | |||||
| CVE-2026-35473 | 1 Wegia | 1 Wegia | 2026-04-10 | N/A | 6.1 MEDIUM |
| WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9. | |||||
| CVE-2026-35474 | 1 Wegia | 1 Wegia | 2026-04-10 | N/A | 6.1 MEDIUM |
| WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, open redirect has been found in WeGIA webapp. The redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This vulnerability is fixed in 3.6.9. | |||||
| CVE-2026-35475 | 1 Wegia | 1 Wegia | 2026-04-10 | N/A | 6.1 MEDIUM |
| WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, the redirect parameter is taken directly from $_GET with no URL validation or whitelist check, then used verbatim in a header("Location: ...") call. This vulnerability is fixed in 3.6.9. | |||||
| CVE-2025-61166 | 1 Ascertia | 1 Signinghub | 2026-04-10 | N/A | 6.1 MEDIUM |
| An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL. | |||||
| CVE-2026-25477 | 1 Affine | 1 Affine | 2026-04-10 | N/A | 6.1 MEDIUM |
| AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0. | |||||
| CVE-2026-33510 | 1 Homarr | 1 Homarr | 2026-04-09 | N/A | 8.8 HIGH |
| Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0. | |||||
| CVE-2026-35396 | 1 Wegia | 1 Wegia | 2026-04-09 | N/A | 6.1 MEDIUM |
| WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IsaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9. | |||||
| CVE-2026-35398 | 1 Wegia | 1 Wegia | 2026-04-09 | N/A | 6.1 MEDIUM |
| WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos & listarId_Nome and nomeClasse=OrigemControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9. | |||||
| CVE-2026-35472 | 1 Wegia | 1 Wegia | 2026-04-09 | N/A | 6.1 MEDIUM |
| WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.9. | |||||
| CVE-2023-6812 | 1 Wpcompress | 1 Wp Compress | 2026-04-08 | N/A | 4.3 MEDIUM |
| The WP Compress – Image Optimizer [All-In-One plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.20.01. This is due to insufficient validation on the redirect url supplied via the 'css' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | |||||
| CVE-2022-1209 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-08 | 3.5 LOW | 4.3 MEDIUM |
| The Ultimate Member plugin for WordPress is vulnerable to arbitrary redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1. | |||||
| CVE-2024-4445 | 1 Wpcompress | 1 Wp Compress | 2026-04-08 | N/A | 6.5 MEDIUM |
| The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. | |||||
| CVE-2024-3597 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2026-04-08 | N/A | 7.1 HIGH |
| The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.2.2. This is due to insufficient validation on the redirect url supplied via the rc_exported_zip_file parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | |||||
| CVE-2021-4348 | 1 Createit | 1 Ultimate Gdpr \& Ccpa Compliance Toolkit | 2026-04-08 | N/A | 7.5 HIGH |
| The Ultimate GDPR & CCPA plugin for WordPress is vulnerable to unauthenticated settings import and export via the export_settings & import_settings functions in versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to change plugin settings and conduct attacks such as redirecting visitors to malicious sites. | |||||