Description
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Published: 2026-02-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Phishing via Open Redirect
Action: Apply Patch
AI Analysis

Impact

web2py up to and including version 2.27.1‑stable+timestamp.2023.11.16.08.03.57 contains an open redirect flaw. A malicious actor can craft a URL that, when visited, causes the browser to be redirected to an arbitrary website. This redirect can be leveraged to deliver phishing pages, social‑engineering attacks, or other malicious content to unsuspecting users. The vulnerability does not directly expose sensitive data or allow code execution, but it does undermine trust and can lead to credential compromise if the phishing site is designed to mimic legitimate services.

Affected Systems

The affected application is web2py. Versions up to and including 2.27.1‑stable+timestamp.2023.11.16.08.03.57 contain the flaw; all newer releases released after this timestamp are considered unaffected.

Risk and Exploitability

The CVSS score of 5.1 reflects a moderate severity. The EPSS score of less than 1% indicates a low probability that the flaw will be actively exploited in the wild, and it is not listed in the CISA KEV catalog. The attack vector is remote, requiring an attacker to supply a crafted link that a victim clicks or navigates to. Once triggered, the redirect occurs automatically without further interaction, making it relatively easy to deploy in a phishing campaign.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade web2py to the latest stable release (post‑2023‑11‑16 timestamp) to apply the open‑redirect fix
  • Modify or remove any redirect logic that accepts unsanitized user input; ensure destinations are validated against an allowlist of trusted hosts
  • Disable or isolate legacy redirect endpoints in the application configuration to prevent accidental use of the vulnerable code pathway

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rf8c-3f5p-xv45 web2py has an Open Redirect Vulnerability
History

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Title Open Redirect Vulnerability Enabling Phishing in web2py

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Web2py
Web2py web2py
Vendors & Products Web2py
Web2py web2py

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Weaknesses CWE-601
References
Metrics cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Web2py Web2py
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-05T15:05:15.192Z

Reserved: 2026-01-30T02:36:15.737Z

Link: CVE-2026-25198

cve-icon Vulnrichment

Updated: 2026-02-05T15:05:12.339Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T08:16:08.450

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses