CVE-2026-3049 identifies an open redirect vulnerability in the horilla-opensource horilla project, affecting versions 1.0.0 through 1.0.2. The vulnerability exists in the 'get' function within the file horilla_generics/global_search.py, specifically in the handling of the 'prev_url' query parameter. Improper validation or sanitization of this parameter allows attackers to craft URLs that redirect users to arbitrary external sites. Such open redirects can be exploited in phishing campaigns, where users believe they are navigating within a trusted domain but are instead redirected to malicious sites. The vulnerability is remotely exploitable without requiring authentication, though it necessitates user interaction (clicking a crafted link). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P) reflects network attack vector, low attack complexity, no privileges or user interaction required for exploitation, and partial impact on integrity. The vendor has released version 1.0.3 which includes a patch (commit 730b5a44ff060916780c44a4bdbc8ced70a2cd27) that properly validates or restricts the 'prev_url' parameter to prevent open redirects. While no known exploits in the wild have been reported yet, the public availability of exploit code increases the likelihood of active exploitation attempts.

The primary impact of this vulnerability is the potential facilitation of phishing and social engineering attacks. Attackers can leverage the open redirect to craft URLs that appear to originate from a trusted horilla-based application, increasing the likelihood that users will trust and click malicious links. This can lead to credential theft, malware delivery, or redirection to fraudulent websites. Although the vulnerability does not directly compromise system confidentiality, integrity, or availability, it undermines user trust and can serve as a stepping stone for more sophisticated attacks. Organizations relying on horilla in customer-facing or internal applications risk reputational damage and potential user data compromise if attackers exploit this flaw. The medium CVSS score reflects the moderate risk, given the ease of exploitation and the potential for indirect harm through phishing.

Organizations should immediately upgrade horilla to version 1.0.3 or later, which contains the official patch addressing the open redirect vulnerability. In addition to upgrading, developers should audit any usage of URL redirection parameters within their applications to ensure proper validation, such as allowing only internal URLs or using a whitelist approach. Implementing Content Security Policy (CSP) headers can help mitigate the impact of malicious redirects by restricting the domains to which users can be redirected. Security teams should monitor for suspicious URLs referencing horilla domains in phishing campaigns and educate users about the risks of clicking unexpected links, even if they appear to come from trusted sources. Logging and alerting on unusual redirect patterns can also help detect exploitation attempts. Finally, consider deploying web application firewalls (WAFs) with rules to detect and block open redirect attempts targeting horilla endpoints.