SecuriTricks - CVE-2025-67502

Description

Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2.

Product(s) Impacted

Vendor	Product	Versions
Taguette	Taguette	1.5.1, <1.5.2, 1.5.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	taguette	taguette	1.5.1	/	/	/	/	/	/	/
a	taguette	taguette	<1.5.2	/	/	/	/	/	/	/
a	taguette	taguette	1.5.2	/	/	/	/	/	/	/

References

https://github.com/remram44/taguette/commit/67de2d2612e7e2572c61cd9627f89c2bfd0f2a36

https://github.com/remram44/taguette/security/advisories/GHSA-5923-r76v-mprm

CVSS Score

5.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: Dec. 10, 2025, 12:16 a.m.
Last Modified: Dec. 10, 2025, 12:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-67502