EXECUTIVE SUMMARY:
A moderate severity open redirect vulnerability was discovered CVE‑2026‑25198 in the Web2py full‑stack Python web framework, where specially crafted URLs can force the application to redirect individuals to harmful websites, creating phishing and social engineering risks by luring users into interacting with malicious content. This weakness, rooted in unvalidated redirect behavior, could be abused by remote attackers without authentication simply by enticing individuals to click on manipulated links, potentially leading to credential compromise or further exploitation if combined with other flaws. Users are strongly advised to upgrade to fixed releases that enforce safer input validation to mitigate the risk of unintended redirection and protect application integrity and user trust. The vulnerability has a CVSS score of 5.1.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: