CVE-2026-48589

Severity CVSS v4.0:
NONE
Type:
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
25/05/2026
Last modified:
28/05/2026

Description

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.<br /> In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.<br /> This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* 2.0.0 (including) 2.2.1 (excluding)
cpe:2.3:a:apache:shiro:3.0.0:alpha1:*:*:*:*:*:*