CWE-698: Execution After Redirect (EAR)
low-riskThe web application sends a redirect to another location, but instead of exiting, it executes additional code.
Abstraction: Base
Common Consequences
Other
→
Alter Execution Logic
Detection Methods
Black Box
This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-48766 | 8.6 | 77.7% | — |
| CVE-2026-2699 | 9.8 | 9.9% | — |
| CVE-2024-2569 | 7.3 | 0.2% | — |
| CVE-2024-3376 | 7.3 | 0.2% | — |
| CVE-2024-2570 | 7.3 | 0.1% | — |
| CVE-2024-2571 | 7.3 | 0.1% | — |
| CVE-2024-2573 | 7.3 | 0.1% | — |
| CVE-2024-2572 | 7.3 | 0.1% | — |
| CVE-2025-8350 | 9.8 | 0.1% | — |
| CVE-2025-53077 | 6.5 | 0.1% | — |
2
/ 100
low-risk
Active Threat
2/50 · Minimal
Exploit Availability
0/50 · Minimal