QwikSec

Security Database

CVE

CWE

Training

CVE-2025-67713

Published: Dec 11, 2025

Modified: Dec 11, 2025

PUBLISHED

Description

Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.

Vendor	Product	Versions
miniflux	v2	affected `< 2.2.15`

Weaknesses (CWE)

References

https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9

x_refsource_CONFIRM

https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.