CWE · MITRE source
CWE-601URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 4 mapping(s) from 4 framework(s): ASVS 5.0 1 (full) · CAPEC 1 (partial) · OWASP-Web 1 (partial) · ATT&CK 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AT-2 | Literacy Training and Awareness | AT | Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites. |
SI-10 | Information Input Validation | SI | Validates redirect targets and URLs to ensure they conform to allowed destinations. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2012-0518 KEV | 10.0 | 4.7 | 0.0466 | 2012-10-16 |
CVE-2021-38000 KEV | 10.0 | 6.1 | 0.0449 | 2021-11-23 |
CVE-2016-5385 | 8.0 | 8.1 | 0.5043 | 2016-07-19 |
CVE-2017-1000117 | 8.0 | 8.8 | 0.7782 | 2017-10-05 |
CVE-2018-11784 | 8.0 | 4.3 | 0.9449 | 2018-10-04 |
CVE-2019-10098 | 8.0 | 6.1 | 0.7398 | 2019-09-25 |
CVE-2020-1927 | 8.0 | 6.1 | 0.5669 | 2020-04-02 |
CVE-2020-8143 | 8.0 | 6.1 | 0.7039 | 2020-04-03 |
CVE-2021-22873 | 8.0 | 6.1 | 0.6614 | 2021-01-26 |
CVE-2021-22881 | 8.0 | 6.1 | 0.8730 | 2021-02-11 |
CVE-2021-28125 | 8.0 | 6.1 | 0.6377 | 2021-04-27 |
CVE-2022-1058 | 8.0 | 6.1 | 0.5318 | 2022-03-24 |
CVE-2022-45402 | 8.0 | 6.1 | 0.8184 | 2022-11-15 |
CVE-2023-32068 | 8.0 | 4.7 | 0.5507 | 2023-05-15 |
CVE-2025-4123 UPD | 8.0 | 7.6 | 0.9781 | 2025-05-22 |
CVE-2017-8989 | 7.0 | 9.1 | 0.0175 | 2018-08-06 |
CVE-2018-3774 | 7.0 | 10.0 | 0.0381 | 2018-08-12 |
CVE-2019-6741 | 7.0 | 9.3 | 0.0323 | 2019-06-03 |
CVE-2022-31657 | 7.0 | 9.8 | 0.0114 | 2022-08-05 |
CVE-2022-28755 | 7.0 | 9.6 | 0.0073 | 2022-08-11 |
CVE-2022-40083 | 7.0 | 9.6 | 0.0231 | 2022-09-28 |
CVE-2022-41559 | 7.0 | 9.3 | 0.0066 | 2022-12-06 |
CVE-2024-22891 UPD | 7.0 | 9.8 | 0.0169 | 2024-03-01 |
CVE-2022-36028 | 7.0 | 9.1 | 0.0036 | 2024-04-25 |
CVE-2022-36029 | 7.0 | 9.1 | 0.0041 | 2024-04-25 |