Vulnerability Database

319,592

Total vulnerabilities in the database

CVE-2025-60868

The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Case variations, encoded keys, and duplicates are not removed, allowing attackers to bypass sanitization. This may lead to cache poisoning, parameter pollution, or denial of service.

Published: Oct 10, 2025
Updated: Jan 26, 2026
CVE: CVE-2025-60868
GHSA: GHSA-rpjr-pcmr-9ppw
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-290

Affected Software
References

Software	From	Fixed in
alt-design / alt-redirect	-	1.6.4

https://gist.github.com/kasiasok/870933de18d1400fa8be88e1bcadec6c
https://github.com/alt-design/Alt-Redirect-Addon/commit/5dc6753c7151ac994c63e18914998991b1f65cbd
https://github.com/alt-design/Alt-Redirect-Addon/releases/tag/v1.6.4
https://statamic.com/addons/alt-design/alt-redirects/release-notes

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo