CVE-2026-47347: Weak Url Blocklist Strpbrk
A weak blocklist (checking only for newlines and null bytes using `strpbrk`) is used to sanitize URLs. This may allow attackers to supply unexpected URI characters (such as backslashes) to bypass downstream domain checks or relative-path validations, potentially causing open redirects. Implement a strict allowlist of valid URI characters instead.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
PHPβ
PHPβgreprules fetch cve-2026-47347-weak-url-blocklist-strpbrk --engine opengrepDescription
A weak blocklist (checking only for newlines and null bytes using `strpbrk`) is used to sanitize URLs. This may allow attackers to supply unexpected URI characters (such as backslashes) to bypass downstream domain checks or relative-path validations, potentially causing open redirects. Implement a strict allowlist of valid URI characters instead.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0