CVE-2026-48589
MEDIUM WAF: Medium
CVSS 5.4
Published: 2026-05-25
CWE-601
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| apache | shiro | 2.0.0 - 2.2.1 |
| apache | shiro | 3.0.0 |
References
- shiro.apache.org (Vendor Advisory)
- www.openwall.com (Mailing List, Third Party Advisory)