GrepRules
Sign inPublish rule
Explore/cve-2026-44889-urljoin-missing-protocol-relative-check

CVE-2026-44889: Urljoin Missing Protocol Relative Check

The application calls `urljoin` and returns the result without validating if the target URL starts with `//`. `urljoin` interprets protocol-relative URLs as absolute network locations, which can lead to Open Redirect vulnerabilities if the output is used in a Location header. Ensure inputs are validated (e.g., using `startswith('//')`) or explicitly constrai

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0Python
greprules fetch cve-2026-44889-urljoin-missing-protocol-relative-check --engine opengrep

Description

The application calls `urljoin` and returns the result without validating if the target URL starts with `//`. `urljoin` interprets protocol-relative URLs as absolute network locations, which can lead to Open Redirect vulnerabilities if the output is used in a Location header. Ensure inputs are validated (e.g., using `startswith('//')`) or explicitly constrai

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 70How quality works
Included packs
2 packs