CVE-2026-48589
Severity CVSS v4.0:
NONE
Type:
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
25/05/2026
Last modified:
28/05/2026
Description
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.<br />
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.<br />
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Impact
Base Score 4.0
0.00
Severity 4.0
NONE
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.2.1 (excluding) |
| cpe:2.3:a:apache:shiro:3.0.0:alpha1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



