CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

We have discovered 1,400,052 live websites that are affected by CWE-601.

Available Reports

Website List

CVEs

Count - 89

CWE References

cwe.mitre.org

Website Distribution by Country

Number of websites using CWE-601

United States	282,974 websites

Germany	134,524 websites
Japan	115,073 websites
France	89,152 websites
Italy	78,097 websites
Russia	62,961 websites
GB	56,085 websites
Spain	45,506 websites
Poland	43,250 websites
Netherlands	42,461 websites

Website Distribution by TLD

Number of websites using CWE-601

.com	538,968 websites
.de	76,230 websites
.it	54,655 websites
.ru	50,809 websites
.org	44,442 websites
.nl	37,263 websites
.fr	36,329 websites
.co.uk	35,604 websites
.net	34,687 websites
.pl	32,855 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-601

Discovered	CVE	Description	Websites
Apr, 2026	CVE-2026-32932	Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit	9
Apr, 2026	CVE-2026-25854	Apache Tomcat: Occasionally open redirect	1,697
Mar, 2026	CVE-2026-32113	Discourse: Open redirect via `sso_destination_url` cookie in `enter`	909
Mar, 2026	CVE-2026-33868	Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'	1,153
Mar, 2026	CVE-2026-33885	Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential	1
Mar, 2026	CVE-2026-21295	Adobe Commerce \| URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)	56
Mar, 2026	CVE-2026-28106	WordPress B2BKing Premium plugin < 5.4.20 - Open Redirection vulnerability	45
Feb, 2026	CVE-2026-27191	Feathers: Open Redirect in OAuth callback enables account takeover	1
Feb, 2026	CVE-2026-1277	URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter	2,257
Feb, 2026	CVE-2026-1296	Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter	380

The most widespread CVEs

List of the most common CVEs that are part of CWE-601

Discovered	CVE	Description	Websites
Jun, 2024	CVE-2024-4704	Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect	1,339,937
Aug, 2025	CVE-2025-55207	@astrojs/node's trailing slash handling causes open redirect issue	19,491
Feb, 2026	CVE-2026-25149	Qwik City Open Redirect via fixTrailingSlash	11,125
Jan, 2021	CVE-2021-22873	Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` ...	5,196
Apr, 2020	CVE-2020-8143	An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by Hac...	5,166
May, 2022	CVE-2022-1209	Ultimate Member <= 2.3.1 - Arbitrary Redirect	3,875
Aug, 2025	CVE-2025-54793	Astro: Duplicate trailing slash feature can lead to Open Redirects	3,356
May, 2019	CVE-2019-5433	A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a spe...	3,102
Apr, 2024	CVE-2024-1849	WP Customer Reviews < 3.7.1 - Malicious Redirect via HTTP-EQUIV Injection	2,837
Jul, 2024	CVE-2024-4882	URL Redirection to Arbitrary Site Exists in Sitefinity	2,564

Websites affected by CWE-601

Top websites that are affected by CWE-601. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
*********.com	United States	***
****.br	Brazil	***
*****.net	Canada	***
******.**.com	United States	***
**.cn	China	***
*****.net	Germany	***
************.com	United States	,**
**********.com	United States	,**
**.****.jp	Japan	,**
********.com	Singapore	,**

See full domain list