Speakr 0.8.20‑alpha and earlier contain an Open Redirect flaw caused by a mismatch between the internal is_safe_url validation helper and the value passed to the redirect() function. The validator first applies urljoin() to combine the host URL with the raw target before parsing, so a scheme‑relative redirect such as ////evil.com is considered safe. However, the raw target is sent unmodified to the HTTP Location header, which browsers resolve as a network‑path‑relative URL pointing to an attacker‑controlled domain. This allows an attacker to craft links that appear to redirect to the host but actually send the user to a malicious site.

The vulnerability affects the Speakr personal web transcription application developed by murtaza‑nasir. All releases prior to 0.8.20‑alpha are impacted; the fix was introduced in version 0.8.20‑alpha and later. No other vendors or third‑party libraries are known to be affected.

The CVSS base score of 6.1 indicates medium severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting it is not currently a known target. The attack requires a user to be authenticated and to click or otherwise trigger a post‑login redirect, or for an attacker to influence the next parameter in a link; the pattern suggests that the most realistic exploitation vector is through a malicious redirect link sent to a legitimate user. Because the flaw does not provide arbitrary code execution, the risk is limited to phishing and loss of user trust.