Vulnerability Details CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 25.0%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2026-48589
-
cpe:2.3:a:apache:shiro:2.0.0
-
cpe:2.3:a:apache:shiro:2.0.1
-
cpe:2.3:a:apache:shiro:2.0.2
-
cpe:2.3:a:apache:shiro:2.0.3
-
cpe:2.3:a:apache:shiro:2.0.4
-
cpe:2.3:a:apache:shiro:2.0.5
-
cpe:2.3:a:apache:shiro:2.0.6
-
cpe:2.3:a:apache:shiro:2.0.7
-
cpe:2.3:a:apache:shiro:2.1.0
-
cpe:2.3:a:apache:shiro:3.0.0