Total
1484 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56962 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An issue in Tencent Technology (Shanghai) Co., Ltd WeSing iOS v9.3.39 allows attackers to access sensitive user information via supplying a crafted link. | |||||
| CVE-2024-56969 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An issue in Pixocial Technology (Singapore) Pte. Ltd BeautyPlus iOS 7.8.010 allows attackers to access sensitive user information via supplying a crafted link. | |||||
| CVE-2025-58067 | 2026-04-15 | N/A | 4.2 MEDIUM | ||
| Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been patched in version 1.3.1. There are no workarounds. | |||||
| CVE-2024-56957 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An issue in Kingsoft Office Software Corporation Limited WPS Office iOS 12.20.0 allows attackers to access sensitive user information via supplying a crafted link. | |||||
| CVE-2025-55060 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| CWE-601 URL Redirection to Untrusted Site ('Open Redirect') | |||||
| CVE-2024-39694 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. Note: by itself, this vulnerability does **not** allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials. This vulnerability is fixed in 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates. If upgrading is not possible, use `IUrlHelper.IsLocalUrl` from ASP.NET Core to validate return Urls in user interface code in the IdentityServer host. | |||||
| CVE-2025-64754 | 2026-04-15 | N/A | N/A | ||
| Jitsi Meet is an open source video conferencing application. A vulnerability present in versions prior to 2.0.10532 allows attackers to hijack the OAuth authentication window for Microsoft accounts. This is fixed in version 2.0.10532. No known workarounds are available. | |||||
| CVE-2025-7777 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The mirror-registry doesn't properly sanitize the host header HTTP header in HTTP request received, allowing an attacker to perform malicious redirects to attacker-controlled domains or phishing campaigns. | |||||
| CVE-2024-22262 | 2026-04-15 | N/A | 8.1 HIGH | ||
| Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. | |||||
| CVE-2025-2068 | 2026-04-15 | N/A | 5.0 MEDIUM | ||
| An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user. | |||||
| CVE-2025-46826 | 2026-04-15 | N/A | N/A | ||
| insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server's secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025. | |||||
| CVE-2025-23183 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | |||||
| CVE-2025-62716 | 2026-04-15 | N/A | 8.1 HIGH | ||
| Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0. | |||||
| CVE-2025-6197 | 2026-04-15 | N/A | 4.2 MEDIUM | ||
| An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | |||||
| CVE-2024-46886 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link. | |||||
| CVE-2025-12789 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL. | |||||
| CVE-2025-31821 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in formsintegrations Integration of Zoho CRM and Contact Form 7 allows Phishing. This issue affects Integration of Zoho CRM and Contact Form 7: from n/a through 1.0.6. | |||||
| CVE-2020-36912 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the 'pagina' GET parameter. Attackers can craft malicious links that redirect users to arbitrary websites by exploiting improper input validation in the parameter. | |||||
| CVE-2024-43236 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Easy PayPal Buy Now Button.This issue affects Easy PayPal Buy Now Button: from n/a through 1.9. | |||||
| CVE-2024-8526 | 2026-04-15 | N/A | N/A | ||
| A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously crafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection of the user to a malicious webpage via "index.jsp" | |||||