Vulnerability DatabaseCVE-2026-48589
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-48589
Published:May 25, 2026
Updated:June 11, 2026
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Affected Packages
org.apache.shiro:shiro-jakarta-ee (JAVA):
Affected version(s) >=2.0.0 <2.2.1
Fix Suggestion:
Update to version 2.2.1
org.apache.shiro:shiro-jakarta-ee (JAVA):
Affected version(s) =3.0.0-alpha-1 <3.0.0-alpha-2
Fix Suggestion:
Update to version 3.0.0-alpha-2
Related Resources (2)
https://shiro.apache.org/security-reports.html#cve_2026_48589
http://www.openwall.com/lists/oss-security/2026/05/25/9
Do you need more information?
Contact Us
Weakness Type (CWE)
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
EPSS
Base Score:
0.09