{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25198", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-30T02:36:15.737Z", "datePublished": "2026-02-05T07:38:31.763Z", "dateUpdated": "2026-02-05T15:05:15.192Z"}, "containers": {"cna": {"affected": [{"vendor": "web2py", "product": "web2py", "versions": [{"version": "2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."}], "problemTypes": [{"descriptions": [{"description": "URL redirection to untrusted site ('Open Redirect')", "lang": "en-US", "cweId": "CWE-601", "type": "CWE"}]}], "references": [{"url": "https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df"}, {"url": "https://github.com/web2py/web2py/releases"}, {"url": "https://web2py.com/"}, {"url": "https://jvn.jp/en/jp/JVN46925341/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-05T07:38:31.763Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T15:05:09.512715Z", "id": "CVE-2026-25198", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:05:15.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25198", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T15:05:09.512715Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:05:12.339Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "web2py", "product": "web2py", "versions": [{"status": "affected", "version": "2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior"}]}], "references": [{"url": "https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df"}, {"url": "https://github.com/web2py/web2py/releases"}, {"url": "https://web2py.com/"}, {"url": "https://jvn.jp/en/jp/JVN46925341/"}], "descriptions": [{"lang": "en", "value": "web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-601", "description": "URL redirection to untrusted site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-05T07:38:31.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25198", "state": "PUBLISHED", "dateUpdated": "2026-02-05T15:05:15.192Z", "dateReserved": "2026-01-30T02:36:15.737Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-05T07:38:31.763Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack."}, {"lang": "es", "value": "Las versiones de web2py 2.27.1-stable+timestamp.2023.11.16.08.03.57 y anteriores contienen una vulnerabilidad de redirecci\u00f3n abierta. Si esta vulnerabilidad es explotada, el usuario puede ser redirigido a un sitio web arbitrario al acceder a una URL especialmente dise\u00f1ada. Como resultado, el usuario puede convertirse en v\u00edctima de un ataque de phishing."}], "id": "CVE-2026-25198", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-05T08:16:08.450", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df"}, {"source": "vultures@jpcert.or.jp", "url": "https://github.com/web2py/web2py/releases"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN46925341/"}, {"source": "vultures@jpcert.or.jp", "url": "https://web2py.com/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:02:45.868164+00:00", "value": {"mitigation_remediation": ["Upgrade web2py to the latest stable release (post\u20112023\u201111\u201116 timestamp) to apply the open\u2011redirect fix", "Modify or remove any redirect logic that accepts unsanitized user input; ensure destinations are validated against an allowlist of trusted hosts", "Disable or isolate legacy redirect endpoints in the application configuration to prevent accidental use of the vulnerable code pathway"], "summary": {"action": "Apply Patch", "impact": "Phishing via Open Redirect"}, "threat_synthesis": {"affected_systems": "The affected application is web2py. Versions up to and including 2.27.1\u2011stable+timestamp.2023.11.16.08.03.57 contain the flaw; all newer releases released after this timestamp are considered unaffected.", "description_and_impact": "web2py up to and including version 2.27.1\u2011stable+timestamp.2023.11.16.08.03.57 contains an open redirect flaw. A malicious actor can craft a URL that, when visited, causes the browser to be redirected to an arbitrary website. This redirect can be leveraged to deliver phishing pages, social\u2011engineering attacks, or other malicious content to unsuspecting users. The vulnerability does not directly expose sensitive data or allow code execution, but it does undermine trust and can lead to credential compromise if the phishing site is designed to mimic legitimate services.", "risk_and_exploitability": "The CVSS score of 5.1 reflects a moderate severity. The EPSS score of less than 1% indicates a low probability that the flaw will be actively exploited in the wild, and it is not listed in the CISA KEV catalog. The attack vector is remote, requiring an attacker to supply a crafted link that a victim clicks or navigates to. Once triggered, the redirect occurs automatically without further interaction, making it relatively easy to deploy in a phishing campaign."}}}}, "created": "2026-02-06T12:05:48.690113+00:00", "title": "Open Redirect Vulnerability Enabling Phishing in web2py", "updated": "2026-04-17T23:15:30.795311+00:00", "vendors": ["web2py", "web2py$PRODUCT$web2py"]}