Cyber Resilience

CWE · MITRE source

CWE-601URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · CVEs in our corpus: 1,550

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 4 mapping(s) from 4 framework(s): ASVS 5.0 1 (full) · CAPEC 1 (partial) · OWASP-Web 1 (partial) · ATT&CK 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (2)AI

Control Title Family Why it addresses this CWE
AT-2Literacy Training and AwarenessATSecurity awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.
SI-10Information Input ValidationSIValidates redirect targets and URLs to ensure they conform to allowed destinations.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2012-0518 KEV10.04.70.04662012-10-16
CVE-2021-38000 KEV10.06.10.04492021-11-23
CVE-2016-53858.08.10.50432016-07-19
CVE-2017-10001178.08.80.77822017-10-05
CVE-2018-117848.04.30.94492018-10-04
CVE-2019-100988.06.10.73982019-09-25
CVE-2020-19278.06.10.56692020-04-02
CVE-2020-81438.06.10.70392020-04-03
CVE-2021-228738.06.10.66142021-01-26
CVE-2021-228818.06.10.87302021-02-11
CVE-2021-281258.06.10.63772021-04-27
CVE-2022-10588.06.10.53182022-03-24
CVE-2022-454028.06.10.81842022-11-15
CVE-2023-320688.04.70.55072023-05-15
CVE-2025-4123 UPD8.07.60.97812025-05-22
CVE-2017-89897.09.10.01752018-08-06
CVE-2018-37747.010.00.03812018-08-12
CVE-2019-67417.09.30.03232019-06-03
CVE-2022-316577.09.80.01142022-08-05
CVE-2022-287557.09.60.00732022-08-11
CVE-2022-400837.09.60.02312022-09-28
CVE-2022-415597.09.30.00662022-12-06
CVE-2024-22891 UPD7.09.80.01692024-03-01
CVE-2022-360287.09.10.00362024-04-25
CVE-2022-360297.09.10.00412024-04-25