CWE-601: Open Redirect
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
Yearly Trend
Top Affected Vendors
All Open Redirect CVEs (262)
A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass Lockdown Mode restrictions and access Web APIs th...
Dec 17, 2025This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey transport via FIDO links. An attacker within Blue...
Aug 19, 2025CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows attackers to execute arbitrary code by exploiting mali...
Mar 1, 2024This vulnerability in Firefox for iOS allows malicious websites to be opened automatically when users scan QR codes containing specially crafted URLs....
Aug 19, 2025CVE-2024-33661 is a URL redirection vulnerability in Portainer before version 2.20.0, allowing attackers to redirect users to malicious sites when the...
Apr 26, 2024CVE-2022-36028 is an open redirect vulnerability in Greenlight, the web interface for BigBlueButton servers. Attackers can manipulate the 'return_to' ...
Apr 25, 2024An authenticated attacker on GitHub Enterprise Server could exploit an insecure URL redirect in the repository_pages API to leak privileged JWT tokens...
Feb 18, 2026This vulnerability in Oracle Application Express allows low-privileged attackers with network access to compromise the system via HTTP, requiring huma...
Jul 15, 2025Dell Unity storage systems version 5.4 and earlier contain an open redirect vulnerability that allows unauthenticated attackers to redirect users to m...
Mar 28, 2025A host header injection vulnerability in BookReviewLibrary 1.0 allows attackers to craft malicious password reset links that redirect users to attacke...
Sep 26, 2024A host header injection vulnerability in Lines Police CAD 1.0 allows attackers to manipulate password reset links to steal reset tokens. Attackers can...
Sep 26, 2024CVE-2024-26504 is an open redirect vulnerability in Wifire Hotspot v4.5.3 that allows a local attacker to execute arbitrary code via a crafted payload...
May 1, 2024This CVE is an open redirect vulnerability in VMware Workspace ONE UEM console that allows attackers to redirect victims to malicious sites and potent...
Oct 31, 2023StarTrinity Softswitch version 2023-02-16 contains an open redirect vulnerability (CWE-601) that allows attackers to redirect users to malicious websi...
Sep 3, 2023This vulnerability allows attackers to inject NEL (Network Error Logging) headers into Kubernetes proxy responses in GitLab, potentially leading to se...
Dec 12, 2024This vulnerability allows attackers to inject malicious scripts into Microsoft Dynamics 365 (on-premises) web pages, which are then executed in victim...
Aug 13, 2024This CVE describes an open redirect vulnerability (CWE-601) in Schneider Electric products that allows attackers to redirect users to malicious websit...
Dec 14, 2023This vulnerability allows attackers to redirect users to malicious websites after successful login by manipulating URL parameters. It affects Schneide...
Nov 15, 2023This CVE describes an open redirect vulnerability in OpenText Service Management Automation X (SMAX) and Asset Management X (AMX) that could allow att...
Oct 30, 2023This vulnerability allows attackers to spoof URLs in Microsoft Edge WebView2, potentially tricking users into visiting malicious sites. It affects app...
Mar 14, 2023This vulnerability allows attackers to redirect users to malicious websites by exploiting the Feedback action on the manager page. It affects HCL soft...
Feb 12, 2023This vulnerability allows attackers to hijack password reset links in Zitadel identity management software by manipulating HTTP headers. Attackers can...
Oct 29, 2025This vulnerability allows attackers to hijack password reset links in Zitadel identity management software by manipulating HTTP headers. Attackers can...
May 30, 2025This CVE describes an open redirect vulnerability in 3DPassport within 3DSwymer (part of 3DEXPERIENCE platform) that allows attackers to craft malicio...
Aug 20, 2024This vulnerability in Spring Framework's UriComponentsBuilder allows attackers to bypass URL host validation through specially crafted input. Applicat...
Apr 16, 2024Spring Framework applications using UriComponentsBuilder to parse external URLs with host validation are vulnerable to open redirect and SSRF attacks....
Mar 16, 2024This vulnerability allows attackers to craft malicious Windows .url shortcut files that, when downloaded and opened in Firefox on Windows, can trigger...
Jun 2, 2023The AI Engine WordPress plugin version 2.8.4 contains an open redirect vulnerability in its OAuth implementation. Unauthenticated attackers can redire...
Jul 4, 2025Mattermost SAML authentication redirect vulnerability allows attackers to steal user session cookies via malicious links. When users authenticate thro...
Sep 15, 2025This vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows attackers to redirect authenticated users to malicious websites by manipulating the m_cURL ...
Mar 11, 2025WeasyPrint versions before 68.0 contain an SSRF protection bypass vulnerability in the default_url_fetcher. Attackers can exploit HTTP redirects to ac...
Jan 19, 2026This vulnerability in Firefox allows attackers to spoof websites by exploiting a network error during page loading. When a network error occurs, previ...
May 14, 2024This CVE describes an unauthorized access vulnerability in the launcher module of Huawei/HarmonyOS devices. Successful exploitation allows attackers t...
Dec 6, 2023The Ultimate GDPR & CCPA WordPress plugin has an unauthenticated settings import/export vulnerability in versions up to 2.4. Attackers can modify plug...
Jun 7, 2023This vulnerability in Express OpenID Connect middleware allows attackers to redirect users to malicious websites after authentication. It affects user...
Mar 31, 2022CVE-2026-24052 is a URL validation bypass vulnerability in Claude Code's trusted domain verification. Attackers could register malicious subdomains th...
Feb 3, 2026This CVE describes an open redirect vulnerability in IBM Operational Decision Manager that allows attackers to conduct phishing attacks. By tricking u...
Aug 1, 2025CVE-2025-3155 is a vulnerability in Yelp (the GNOME help application) that allows malicious help documents to execute arbitrary scripts. This could en...
Apr 3, 2025This CVE describes an open redirect vulnerability in Siemens Teamcenter's SSO login service across multiple versions. An attacker can craft malicious ...
Feb 11, 2025CVE-2022-48358 is a URL redirection vulnerability in Huawei's BatteryHealthActivity component that allows malicious apps to cause service exceptions. ...
Mar 27, 2023This vulnerability allows malicious websites to bypass Content Security Policy (CSP) protections and leak sensitive information through redirect behav...
Aug 24, 2021This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated high-privilege attackers to insert malicious URLs that r...
Feb 10, 2026CVE-2022-24739 is a vulnerability in AllTube (an HTML frontend for youtube-dl) that allows attackers to craft malicious HTML pages to trigger either o...
Mar 8, 2022An open redirect vulnerability in KNIME Business Hub allows unauthenticated attackers to craft malicious links that redirect users to attacker-control...
Oct 2, 2025The WPMobile.App WordPress plugin contains an open redirect vulnerability that allows unauthenticated attackers to redirect users to malicious website...
Feb 20, 2025The login page of Venki Supravizio BPM up to version 18.1.1 contains an open redirect vulnerability that can be exploited to perform reflected cross-s...
Jan 13, 2025CVE-2021-32805 is an open redirect vulnerability in Flask-AppBuilder's OAuth implementation. Attackers can craft URLs that redirect users from trusted...
Sep 8, 2021An unauthenticated remote attacker can exploit insufficient endpoint verification in Cisco IMC's vKVM connection handling to redirect users to malicio...
Aug 27, 2025This vulnerability in mailcow: dockerized allows attackers to manipulate the Host HTTP header during password reset requests, generating malicious res...
Feb 12, 2025This vulnerability allows unauthenticated attackers to craft malicious links that redirect victims to attacker-controlled websites when clicked. It af...
Feb 11, 2025About Open Redirect (CWE-601)
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
Our database tracks 262 CVEs classified as CWE-601, with 8 rated critical and 48 rated high severity. The average CVSS score for Open Redirect vulnerabilities is 5.9.
External reference: View CWE-601 on MITRE CWE →
Monitor Open Redirect Vulnerabilities
Get alerted when new Open Redirect CVEs affect your infrastructure.
Start Monitoring Free