CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-7pq2-fhx9-x464: Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login

lowCVSS 5.4CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low — CVSS 5.4
Published
2026-05-26
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-7pq2-fhx9-x464

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-48589coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories